- August 12th, 2015
Do you love getting text messages? Well, here is one reason to not love them – Stagefright. It’s a vulnerability that was recently exposed on the Android OS.
Despite its rather frightening name, Stagefright started its Android life innocently enough. It is simply the name of a media playback library buried deep inside Google’s mobile OS. The vulnerability that is its namesake, which takes advantage of flaws within the open-sourced code mobile OS, was discovered last month by researchers at a security firm named Zimperium.
The vulnerability works like this: A potential attacker, armed with just a phone number and a malware-laced video clip, sends an infected MMS message (which is like an SMS, but can be used to send videos and sound bites as well) to any one of the 950 million (!) Android smartphones, or any other devices using the vulnerable operating system.
This would be fine if the message recipient could delete the malicious message before it does any harm. Unfortunately, in some versions of the OS, the default messaging service is Google Hangouts, which automatically downloads and plays video clips in the feed without actually opening them. Other message services also have this setting enabled by default, and this is what makes the vulnerability so dangerous.
This is where things get, well, frightening
With most mobile malware, the user has to do something to get infected, like click an injected banner ad, or go to a dangerous website. With Stagefright, the only thing a user needs to do is have a phone number and a messaging service like Hangouts on their smartphone. If a malicious message is sent by an attacker, nothing else needs to happen in order for that mobile phone to become infected. Once downloaded, the malware can collect data, change settings, and even wipe out a phone entirely, all without any forewarning to the victim that their phone has been compromised.
Okay, so now what? Should you just throw your hands (and your smartphone?) in the air in defeat? Well, we don’t want you to do that. Here are a few things to bear in mind:
1. This is a proof-of-concept bug. This means the flaw was discovered and deployed by researchers in contained environments. No one has actually witnessed the Stagefright bug in the wild (in other words, there have been no documented cases of this actually happening to anyone). It is a flaw that has existed for five years, yet no one has exploited it to initiate an attack.
2. Although it was initially reported that millions of Android devices could be affected by the vulnerability, later updates suggest that the vast majority of devices (about 90 percent) have a technology called ASLR enabled, which protects them from the effects should this vulnerability be exploited.
3. You can take proactive measures to protect yourself against Stagefright by changing your message service settings so that your message service does not automatically download and play videos. It’s not that hard to change this setting, and it can wind up saving you a huge headache down the road. To do this, go into the settings of your smartphone’s message service and locate the setting called “Auto Retrieve MMS”. If it is enabled by default, disable it. Even if you don’t use Google Hangouts as your primary message service, make sure you change the default setting here, too.
4. Be careful about the messages you open. Don’t open links in emails unless you know and trust the sender. The same applies to MMS messages. Unless you know who sent the message and have good reason to believe that the message is safe, don’t open it.
OS patches and silver linings
Google has created a patch for the flaw, but it’s up to individual device manufacturers to deploy the patch. Google’s own Nexus Smartphones and Blackphone by Silent Circle have already been patched, as have some Samsung and LG models. Certain manufacturers have even promised to roll out monthly security patches, like their PC counterparts do. Keep your eyes open to see if your own device manufacturer has issued a patch. If it has, update immediately.
It’s pretty clear to everyone these days that the mobile world is becoming increasingly dangerous every day. At the same time, we are all becoming increasingly dependent on our mobile devices. Not only do they contain an increasing amount of personal information (including passwords, personal photos, and contact information) but they also serve as photo albums, shopping malls, entertainment devices and more. Most smartphone owners protect their devices from the outside, with screen guards and similar accessories. Make sure you’re protecting your device from the inside too. Use a lock screen to deter thieves, get a mobile security product to protect you from malware, and take precautions when using public WiFi.
When it comes to mobile security, what’s your biggest worry?