‘Stagefright’ vulnerability fix heading to Xperia Z series this month [Update]

by XB on 6th August 2015

in Problems

Stagefright DetectorAn exploit was discovered last week by researchers at Zimperium that is believed to leave the majority of Android devices vulnerable to attack. Hackers could potentially use the libStageFright media library (hence ‘Stagefright’) as a way into your device when processing an MMS. Potentially an attacker would only need your mobile number and then execute an attack even with no user-interaction. Even worse, the MMS can delete itself before you open it. Zimperium says that “issues in Stagefright code critically expose 95% of Android devices, an estimated 950 million devices”.

Many of you have got in touch with us asking when a fix is likely, however Sony has officially been quiet on the matter. Google is working alongside all of the key Android manufacturers to deliver updates that patch this exploit. At Black Hat 2015, Google confirmed that a fix will arrive this month for the newer Xperia Z series such as the Xperia Z2, Z3, Z3+/Z4 and Z3 Tablet Compact. However, “hundreds more” devices will also receive the update, so other Sony Xperia devices won’t be left in the cold.

If you want to find out whether your Sony Xperia device is vulnerable to this exploit, then Zimperium has created the Stagefright Detector App which will test your handset.

Update: Sony has got in touch with a statement on how they are tackling the Stagefright exploit.

“Sony has received the patches from Google to correct the issue and are making them available through retail partners within ongoing software maintenance – updates will start rolling out over the next few weeks, with exact timings varying by region.

“Users can also take steps to protect themselves by disabling the automatic download of MMS messages and deleting those from unknown senders, exercising caution when opening email attachments, connecting to well-known Wi-Fi networks and ensuring websites, services and application stores are authentic.”

Sony Xperia Z2/Z3/Z4 series will receive the Stagefright fix later this month

Stagefright Xperia fix

Use the Stagefright Detector App to determine the vulnerability on your handset

Stagefright Detector

Via Zimperium [image via Tweakers.net.]

Thanks Diogo!

  • dragonsneeze

    what is mms?


    Multi Media Messages

  • GoInToTheWater


    MMS = MurMaiderS by Dethklok

  • Fadi Obaya

    I checked with my Z ultra. Not funny at all. A fix should be applied for all devices together. Same time.

  • AndropaX

    Always we have custom roms…

  • Jecht_Sin

    Vulnerable. Xperia M2 Kitkat 4.4.4. Now, is there a simple fix for rooted phones? Like changing a library or the media server binary?

  • notzippy

    I would be extremely happy to fix my own Z1 if sony would unlock my bootloader.

  • Timel

    Disable auto-retrieve MMS from settings..that should be of some help.

  • Samuel

    Can this be used to root 5.1.1?

  • mUSICA

    HMmmm MY xperia ZR No Root, Wtf

  • AndropaX

    You should buy phone not from carrer which locking phones…

  • notzippy

    I bought unlocked from a reseller not a carrier. Unfortunately I did not ask if bootloader was unlocked..

  • mountain

    I am interested to find out which 5% devices are not vunerable…

  • Gayashan


  • Svnjay

    Mine isn’t.

  • Tommy He

    Z1 Compact, affected.

    Just turned off MMS receive for safe.

  • Pingback: Google commits to patching Stagefright vulnerability soon | Pocketnow()

  • bahar_b

    Can Sony release a small patch fix this?

  • Mohamed adel ali

    so what about z1 it’s not mention by google

  • Ryan Kumar-jassi

    I find it hilarious how my z2 tablet wifi is affefted with no phone number yet to try my z2 phone

  • Ryan Kumar-jassi

    Nor z theyre most likely gonna mention the older z series later like they always do

  • Mohamed adel ali

    so we will get this update am i right ?

  • Mohamed adel ali

    same here

  • Ryan Kumar Jassi

    We should get this update I cant see why they wouldnt give it to the whole of the z series not to mention the z will be getting 5.1 I really cant see why not but this doesnt bother me anyway I know theres like a very rare and low chance someone will really hack me I cant see what I have theyll want so itd be useless anyway

  • Ryan Kumar Jassi

    Horray for custom rom!

  • KzX

    My Z2 is vulnerable too, hope that patch will be release very soon.

  • Brayan Ramírez

    Why not to release the patch at the same time for all devices not only Z line-up I mean this is supposed to be something to fix ASAP

  • Svnjay

    You can unlock it yourself.

  • OchreFox

    And this is why Sony only knows about the existence of Xperia Z devices.

  • Benjamin Levy

    Google is saying that any device running Android 4.1 or later probably isn’t vulnerable to the Stagefright vulnerability because of Address Space Layout Randomization (ASLR). It was added to Android to make it difficult for buffer overflows to do anything damaging.

    If you’re still worried, you can tell your SMS app to not automatically download images (MMS).

    You can read more about Stagefright and ASLR at:

  • Benjamin Levy

    Also, Google says they will be releasing a new version of their Messenger (SMS) app in a few days. I’m not sure about the Hangouts app.

  • Peter Angelov

    Well my xperia m4 aqua is not affected. Very strange considering that i have android 5.0 while z2/3 have 5.1.1. Obviously it depends not only from the OS version.

  • Sorry if i’m asking kind of silly question, but What is that stagefright anyway? Its kind of virus or what and what does it do to our phone?

  • marcyff2

    it is quite easy to unlock the bootloader, xda devs have good guides for it. Be aware that both camera and music won’t perform to their best on Stock apps, as the DRM keys sony put in will be gone with the bootloader unlock.

  • marcyff2

    Following my understanding is a spyware. which when on your phone, can liberate hackers to see and monitor your activities (online purchases, credit and debit card information….).

  • Amimanot

    Its actually a fancy name for a vulnerability that currently exists in most android phones right now. That vulnerability allows hackers to have full access to your phone with an MMS message.

  • Vijayraj KP

    The test shows my phone vulnerable

  • fast83

    How about deactivating MMS altogether, since NOBODY, and I really mean NOBODY uses them from the dawn of time? I mean come on, there’s whatsapp, hangouts, Telegram, wechat, FB messenger, hundreds of apps to share your pics or texts or videos, why the hell are people still TALKING about MMS??
    Deleted the MMS Apn, deactivated the auto retrieval, that’s it, MMSs are dead to me (since like 2008 anyway).

  • Alvin

    Well. This ain’t right.

  • Mads


  • Pingback: Exploitable hack needs an update to be seriously pushed()

  • mehdi milani

    xperia z3 dual so what???????????????

  • Florian Hubold

    It’s not only about MMS, but about anything that’s played via the libstagefright library (software audio/video decoder) hence potentially every app which can show video or audio (think any browser or any app) is affected. MMS should simply be disabled as it offers the biggest attack surface by default – default is automatic retrieval of embedded content, so you could send an MMS to every telephone number and everybody would be affected.

  • Benjamin Levy

    Google says that If you’re running Android 4.1 or later, Stagefright might let folks in, but Android’s ASLR randomizes the locations of the system functions, so there is no way for an MMS virus to figure out what are the addresses of the system functions.

  • notzippy

    No, you can only unlock it if your status is Bootloader Unlock Allowed : YES, mine is Bootloader Unlock Allowed : No. If sony would change this status then I would be happy.

  • Alfino Setya

    It’s weird my Z3c is vulnerable but my lenovo tab 2 a7 isn’t. How come? :-

  • Martin Ambre

    Sony Xperia Z3 Compact is facing restart problems after recent update 5.1.1
    Even factory rested device after update
    Also used Sony companion repair tool to flash it but still a lot of issues

    The shade effect is slow
    All blacks when switched On the screen look like gray

    Sony development team don’t perform quality checks?

  • Pingback: Sony ??? HTC ????????????????? Stagefright ????????????????? ???????????????????????????? | SpecPhone.com()

  • aiamkesz

    I am surprised ‘Galaxy S3’ and ‘S4’ are mentioned but my ‘Xperia Z’ isn’t.

  • >why the hell are people still TALKING about MMS??

    data is expensive as fuck where I live. also my sister, my parents, my brother-in-law and my best friend (people who I communicate with the most) are all using dumbphones. I can’t really send them a photo via Telegram, can I?

  • hopefully the update will be something more than that one fix.

  • shyam

    Vulnerable for by Xperia tablet z, when update will receive?

  • fast83

    Well, here where I live (Italy) I have 7GB in 4G (and a bunch of minutes and sms) with 12 euros a month, which are like 15 USD or 8.5 GBP.
    MMSs STILL cost 50 euro cents, they always have costed that, and for a 150kb photo, nobody ever bothered from what I remember.
    MMSs are not even mentioned from phone companies anymore, nor are they included in the typical “all inclusive” plan.
    That’s for saying that even the phone companies themselves don’t care.
    I’m sorry if data costs that much where you live (that is… where?), you’d probably better off getting a plan from another country (I don’t remember exactly, but should be like 5 euros a week for 500mb, which are not a lot, but better than nothing), but things are going forward as always, and MMSs will stay back and we’ll eave them goodbye for good in the near future. :)

  • Gregory Opera

    Yeah, my Xperia Z Ultra showed multiple vulnerabilities, too…

  • I live in Poland. I’m currently paying 24€ every 5 months. sending and SMS costs me 0,002€, and sending an MMS 0,002€. and I’m paying 0,06€ for 50kB, so it quickly adds up even when checking my email.

  • fast83

    I just spent like 5 minutes finding out that the first Polish phone company I checked offers 500mb plus minutes sms ecc at 30 Zloty, or 2Gb with minutes sms ecc at 40 Zloty. Seeing that the first is like 7 euros and the second around 9, the tariffs don’t seem so high to me…

  • the thing is, every tariff seems at least a bit more expensive than what I’ve got right now when it comes to texting and calling. and to get a better deal, I’d have to switch carriers, which in turn would make me pay more when calling my family. I’m currently considering switching to a more internet-centric tariff anyway, but the thing is, I’ll keep sending MMS because dumbphones.

  • Kazandu

    And I’m still waiting for my 5.1.1 Update :/

  • Pingback: How to prevent Stagefright on a Sony device | ITProPortal.com()

  • Pingback: Stagefright: The Exploit That Changed Android()

  • Pingback: Stagefright Explained: The Exploit That Changed Android | SPJ Mobile Network()

  • Pingback: Stagefright Explained: The Exploit That Changed Android | Nam Hoang()

  • Pingback: Stagefright Explained: The Exploit That Changed AndroidSomedroid | Somedroid()

  • Samuel

    570 and 580 firmwares solve the issue. Z2 running Bell Mobility 570 firmware

  • Sachin_S

    My Xeria Z1 shows, what I want to do now?

  • Pingback: Google se pone las pilas en seguridad ¿Le seguirá el resto de fabricantes? | Aplicaciones Android Apk()

  • Roy Keloi

    I guess my Xperia p is not considered a priority

  • Michael Wiedemann

    This was a month ago… where are the updates?

  • Gregory Opera

    You’re concerned about the timing of updates… Yet you’re using Android?

    Seriously dude, if you’re concerned about security, Android is not the mobile device operating system you want to be using… Google and virtually all of the manufacturers are slow to release updates and upgrades to security fixes.

    Sometimes it takes a month, sometimes two and sometimes users never even see updates/upgrades at all…

    And of course, that doesn’t even take into account the fact that “Stagefright” is not the only security issue in Android at this time – there’s at least half-a-dozen security issues (and I’m probably underestimating), many of which are considered “critical”!

    “Stagefright” just happens to be what’s in the news at the moment…

  • Michael Wiedemann

    I was just referring to the posted deadline above (“updates will start rolling out over the next few weeks, with exact timings varying by region.”).

    Due to the critical nature of fixing issues Google and its partners should find a way to push fixes sooner (besides the fact that some functionality already are located in Google apps).

  • remy

    My brand new Z5 Compact is vulnerable to ALL CVE’s!
    WHAT THE HELL SONY, it’s more than 2 months AND brand new phones are not fixed!

  • Gregory Opera

    It’s Android, get used to it.

    Statistically, nine out of every ten Android mobile devices (from ALL manufacturers, not just Sony) are vulnerable to at least one of the “major” security issues discovered in Android over the last five years or so…

    If security is your concern and you’re not prepared to build/maintain your own version, then Android is not the mobile device operating system you want to be using.

    Until Ubuntu Phone becomes available the masses next year, your only alternative if you’re not comfortable with this is Apple – but good luck with their so-called “walled garden”!

  • Gregory Opera

    Well, it looks like the updates issue is far more widespread than even I thought:

    Nine out of every ten devices are still affected by at least one of the “major” Android security issues discovered over the last five years?

    That’s a big call, and a frightening one at that (though if you look at the history of Android updates/upgrades – even from major manufacturers – it’s not difficult to believe…)!

  • remy

    I am aware of the situation and its absolutely hilarious.

Previous post:

Next post: