Stagefright – An Android bug that you SHOULD be worried about

What is Stagefright?

In the last few days details have started to emerge about a particularly nasty bug affecting as many as 1 billion (yes, 1 BILLION) Android based smartphones.

The bug has been dubbed ‘Stagefright’ because it has been discovered in a module of the MMS handling system rather aptly called ‘Stagefright’.

Details are rather sketchy at the moment as the discoverers of the bug are planning to release full details at the annual BlackHat hacking conference in August, however there are a few details that have emerged and from what we have seen this is potentially one of the most serious and far reaching security problems the Android operating system has ever seen.

Basically, a group of security researchers called Zimperium have discovered that it’s possible to break into and exploit almost any popular Android device simply by sending a specially crafted MMS message to that phone.

What makes this exploit more scary than any other we can remember is in the way that Android handles MMS message – once an MMS is received, the MMS is automatically downloaded and partially processed by Android, this is enough to trigger the malicious code hidden inside the MMS, even if the user doesn’t opt to open the MMS.

The clear worry here is that anyone wishing to exploit this bug can simply send the MMS to a target phone and gain access immediately so it will be easy for anyone to hack in to a targets phone. Even if the target is unknown to the attacker, and they wish to just gain access to as many phones as possible, all they would need to do is send the specially crafted MMS to as many randomly generated mobile numbers as they can, and see what results they get.

Can I protect myself?

Traditional advice is not to open any files that are from people you don’t know, unfortunately this advice doesn’t work for Stagefright for two reasons:

  1. Any phone infected by an exploit could send copies of the specially crafted MMS out to everyone in that phones address book, so the receiver may think the MMS comes from someone they trust.
  2. As mentioned above, the bug can be exploited by an attacker without any interaction the user at all.

However there are a couple of things you can do to try to protect yourself:

  1. Do not use MMS to send or receive pictures and videos with your contacts, use email, WhatsApp, Instagram, Facebook Messenger etc. instead as they use their own media handler (Google Hangouts uses the Stagefright module so that IS NOT a safe option)
  2. It is being reported that changing the settings in your default MMS handling application can prevent this. Most applications come with a setting called ‘Auto Retrieve’ in the MMS settings – setting this to ‘Off’ could help to protect you. Of course this means that you won’t be able to send / receive MMS messages, but that’s probably a small price to pay to keep your phone secure until a proper patch is released.

We are encouraging people to spread the word to their family and friends about this, so please feel free to forward this page on to everyone you know.

For more information on the Stagefright bug look at these sites:

http://blog.zimperium.com/experts-found-a-unicorn-in-the-heart-of-android/

https://nakedsecurity.sophos.com/2015/07/28/the-stagefright-hole-in-android-what-you-need-to-know/

http://www.zdnet.com/article/stagefright-just-how-scary-is-it-for-android-users/

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *