Solutions
Product
Services
Resources
Company
Developer
hello@okaythis.com

Kverndalsgata 8,
3717 Skien,
Norway

Solutions
Embedded Finance Providers and BaaS
Banks
BtoC and BtoB Fintechs
Corporate Sector
Okay Passwordless
Products
Okay KYC
Okay PSD2 SCA
Okay ACS
Okay IAM
Services
Advisory Services
Risk and Security Audits
Integration and Professional Services
Application Management Services
Resources
Blog
Glossary
Patents
PSD2/3 Resources
Company
About
Get In Touch
Partners
Developers
iOS SDK Guide
React Native Module
Android SDK Guide
Server Documentation
API Documentation
©2025 Okay. All rights reserved
Privacy & Policy
Terms & Condition
Back to Blog

Echoes of Stagefright: Samsung Releases Bugfix for All Phones Sold Since 2014

Published: 18.05.2020

Updated: 18.05.2020

Author: Erik Vasaasen

Mobile manufacturers releasing security updates and bugfixes isn’t anything new, so what makes this bugfix noteworthy? To understand that we have to go back in time to 2015…

Back in July 2015, Android was hit by a remotely exploitable bug which got a lot of attention. The bug, known as Stagefright, could be exploited by a remote attacker simply by sending an MMS. With Stagefright, the attacker only needed to know the phone number to get remote code execution and privilege escalation. The recipient would not have to even open the message to be infected with malware.

This week, Samsung released a bugfix for all phones produced since 2014. The reason? A bug which is very similar to Stagefright. This bug also let attackers infect phones with malware simply by sending MMSs, without the target even having to open the MMS. As there has been some improvement to the underlying security of Android an attacker would now have to send 50 to 300 MMS messages to exploit the bug. According to the Google researcher who found the bug, there are ways of sending an MMS without generating a notification message as well. Of course, the first thing an attacker would install would be a remote administration tool, usually known as a RAT, which could be used to remove any traces of received messages.

The exact method exploited with Stagefright and now with this Samsung bug is not very important. As users we want our smartphones to be as useful as possible, and to use them to communicate with friends and family. The underlying security vulnerability is that with all the different communication protocols there are a lot of different attack surfaces that can be exploited. This is nothing new, as even back in 2001 you could crash a Nokia phone by sending a specially crafted text message.

Here are some examples of how the different features in your phone can be exploited:

  • Underlying network protocols, such as the chips used to communicate on 4G and 5G have various security issues.
  • Bluetooth and WiFi implementations have their own sets of issues.
  • Operator communication protocols are similarly affected, e.g. issues with SIM cards.    
  • Attackers have also exploited messaging protocols such as Whatsapp. It is reasonable to assume that other messaging apps, such as Telegram and Facebook Messenger has similar issues.

Common to all of these examples is that they can be exploited without any action performed by the end-user. It is enough that you connect to a WiFi network, have your phone connected to a mobile network, or that a messaging program is running in the background when someone sends you a message. Of course, some of these attacks might require physical proximity, such as for Bluetooth, and to exploit the 3G/4G chipset would require an attacker to configure a fake base station, which is not trivial.

What can you do to avoid this type of attack? Sadly, the only thing you can do is to make sure that your device is updated, and that you still receive security updates. If you’re Jeff Bezos the answer might simply be to stop using smartphones altogether.

We at Okay assume that there are criminals exploiting bugs like this to target your customers, and do our best to protect your authentications and transactions. To read more about how we do it, visit our SCA product pages. 

Sign Up for Our Newsletter

Unlock updates, insights, and exclusive content delivered to you.

Related Articles

The Latest News in Overlay Attacks

Fraud and crime
15.11.2018

Mobile Phones Under Attack from Bluetooth & Wi-Fi

Fraud and crime
07.11.2019

Part 5/8: SCA Industry Challenges - Innovative Malware Attacks

Fraud and crime
10.02.2020