A critical vulnerability found in Android phones is being described as one of the “worst Android vulnerabilities to date.” It allows a hacker to compromise 95% of Android devices, with a single text message. Considering that 80% of mobile device users use Android, potentially 950 Million smartphones, this is especially frightening!
How Stagefright Works
The attacker only needs your cell phone number to compromise your Android phone. Unlike phishing, in which the victim actually needs to open an infected attachment or link to let the malware in, with Stagefright the victim does not need to take any action for the vulnerability to be exploited. Simply by sending an MMS text message with the virus embedded in a video, the attacker can take over the victim’s phone including copying and deleting photos and other data, and using the phone’s microphone and camera to spy on the victim.
The attack takes advantage of Android’s built-in Stagefright media library which is used for audio and video playback. To reduce video viewing lag time, Stagefright processes a video the moment it is received. Processing the video triggers the vulnerability, letting the malware in. If you use the messaging app Hangouts, it instantly processes videos and keeps them ready in the phone’s gallery. The malware attached to the video will be processed before you even hear the alert that you’ve received a text message! However, if you use the phone’s default messaging app, you would actually have to view the text message, even if you did not view the video, before the attachment would be processed.
What’s being done about it
The vulnerability was discovered by Joshua Drake, a security researcher at Zimperium Labs. In April and May, he reported his findings to Google and he sent patches to fix the problem. Google promptly notified partners and sent a fix to Android smartphone makers. It is now up to the Android phone manufacturers to reissue the patches to users. Unfortunately, some manufacturers don’t update older models. Manufacturers and cell service carriers like Verizon and T-Mobile tweek Android designs, which makes it challenging to update the operating systems. Drake estimates that only 20% – 50% of devices will get fixed. Although it does not appear that any Android phones have been compromised to date, this leaves a lot of phones vulnerable!
What you can do
If you use an Android phone, install updates immediately! If your manufacturer has not issued patches, contact the device manufacturer directly to find out about specific plans for security update releases.
There are steps (suggested by zdnet) which you can take on your own device that can help to protect you. Some newer Android operating systems enable you to block text messages from unknown senders (which would protect you if the text was not sent by a friend with an infected device). This is enabled in Kitkat in the settings of the Messenger app. In older versions it is not possible to block unknown senders. However, in Lollipop, you can turn off Auto Retrieve for multimedia messages in settings. If you are a Big Idea Technology client, call our IT help desk and we’ll walk you through these settings.