Vulnerabilities discovered in the Stagefright media playback engine that is native to Android devices could be the mobile world’s equivalent to Heartbleed. Almost all Android devices contain the security and implementation issues in question; unpatched devices are at risk to straightforward attacks against specific users that put their privacy, data and safety at risk.

Google has patched internal code branches, but devices require over-the-air updates and given the shaky history of handset manufacturers and carriers pushing out security fixes, it’s unknown how long it will take to update vulnerable devices, or whether some will ever get fixed. Silent Circle has patched its Blackphone against the vulnerabilities, as has Mozilla, which uses Stagefright code in Firefox.

The flaws have been in Android since—and including—version 2.2; devices running Android versions older than Jelly Bean (4.2) are at greater risk since they lack exploit mitigations that have been built into newer versions of the OS.

Researcher Joshua Drake, vice president of platform research and exploitation at Zimperium zLabs, said exploits could be particularly insidious given the fact that an attacker need only use a malicious MMS message that could trigger the vulnerability without user interaction, and delete the message before the victim is aware. All an attacker would need, Drake said, is the device’s phone number.

“It’s a nasty attack vector,” he said.

The problem is that Stagefright is an over-privileged application with system access on some devices, which enables privileges similar to apps with root access. Stagefright is used to process a number of common media formats, and it’s implemented in native C++ code, making it simpler to exploit.

“On some devices, [Stagefright] has access to the system group, which is right next to root—very close to root—so it should be easy to get root from system,” Drake said. “And system runs a lot of stuff. You’d be able to monitor communication on the device and do nasty things.

“That process, you would think, would be sandboxed and locked down as much as it could because it’s processing dangerous, risky code, but it actually has access to the Internet. Android has a group enforcement where it allows [Stagefright] to connect to the Internet. This service is on all Android devices. I’d rather not have a service that’s doing risky processing have Internet access.”

“You’d be able to monitor communication on the device and do nasty things.”

-Joshua Drake

Drake estimates that 950 million Android devices could be exposed by the half-dozen bugs and implementation issues he’s expected to detail in a presentation next week during the Black Hat conference in Las Vegas.

Drake speculates that Stagefright has its excessive permissions and Internet access to satisfy some types of digital rights management processing or streaming playback. Drake characterized the metadata processing happening around mpeg4 files as aggressive and promiscuous, behaviors that allow an attacker to silently trigger exploits in the background.

“When I see promiscuous behaviors, I get nervous,” he said. “It’s not a good idea to process that much from untrusted sources.”

An attacker in possession of their target’s phone number could send an MMS or even a Google Hangouts message to an affected device that triggers the vulnerability before the victim has a chance to open the message. In some cases, the attack would delete the MMS in question, leaving behind only a notification that a message was sent. Drake said the processing carried out by Stagefright is a bad design and implementation choice, and that once he dug in and did additional fuzzing and learned more context from prior work, he said he uncovered close to a dozen issues, with half of those being critical remote code execution vulnerabilities; the others were less serious and did not have RCE implications.

“I think it’s a bad idea to do this sort of processing,” Drake said. There are some mitigations, for example, in Google Hangout settings, a user is able to request that MMS messages are not automatically downloaded.

“Older devices don’t have that option, older devices are more exposed and at risk,” Drake said, adding that exploits against Ice Cream Sandwich and Gingerbread are much easier to develop and put those versions at extreme risk. “They don’t have the hardening measures Android has these days.”