How To Protect Your Device From Androidâ€™s Stagefright Exploit :
Android has a massive security bug in a component known as â€œStagefright.â€� Just receiving a malicious MMS message could result in your phone being compromised. Itâ€™s surprising we havenâ€™t seen a worm spreading from phone to phone like worms did in the early Windows XP days â€” all the ingredients are here.
Itâ€™s actually a bit worse than it sounds. The media has largely focused on the MMS attack method, but even MP4 videos embedded in web pages or apps could compromise your phone or tablet.
Why the Stagefright Flaw is Dangerous â€” Itâ€™s Not Just MMS
Some commentators have called this attack â€œStagefright,â€� but itâ€™s actually an attack on a component in Android named Stagefright. This is a multimedia player component in Android. It has a vulnerability that can be exploited â€” most dangerously via an MMS, which is a text message with embedded multimedia components.
Many Android phone manufacturers have unwisely chosen to give Stagefright system permissions, which is one step below root access. Exploiting Stagefright allows an attacker to run arbtirary code with either the â€œmediaâ€� or â€œsystemâ€� permissions, depending on the how the device is configured. System permissions would give the attacker basically complete acess to their device. Zimperium, the organization that discovered and reported the issue, offer more details.
Typical Android text messaging apps automatically retrieve incoming MMS messages. This means you could be compromised just by someone sending you a message over the telephone network. With your phone compromised, a worm using this vulnerability could read your contacts and send malicious MMS messages to your contacts, spreading like wildfire like the Melissa virus did back in 1999 using Outlook and email contacts.
Initial reports focused on MMS because that was the most potentially dangerous vector Stagefright could take advantage of. But itâ€™s not just MMS. As Trend Micro pointed out, this vulnerability is in the â€œmediaserverâ€� component and a malicious MP4 file embedded on a web page could exploit it â€” yes, just by navigating to a web page in your web browser. An MP4 file embedded in an app that wants to exploit your device could do the same.
Is Your Smartphone or Tablet Vulnerable?
Your Android device is probably vulnerable. Ninety-five percent of Android device in the wild are vulnerable to Stagefright.
To check for sure, install the Stagefright Detector App from Google Play. This app was made by Zimperium, which discovered and reported the Stagefright vulnerability. It will check your device and tell you whether Stagefright has been patched on your Android phone or not.
How to Prevent Stagefright Attacks If Youâ€™re Vulnerable
As far as we know, Android antivirus apps wonâ€™t save you from Stagefright attacks. They donâ€™t necessarily have enough system permissions to intercept MMS messages and interfering with system components. Google also canâ€™t update the Google Play Services component in Androidto fix this bug, a patchwork solution Google often employs when security holes show up.
To really prevent yourself from being compromised, you need to prevent your messaging app of choice from downloading and launching MMS messages. In general, this means disabling the â€œMMS auto-retrievalâ€� setting in its settings. When you receive an MMS message, it wonâ€™t automatically download â€” youâ€™ll have to download it by tapping a placeholder or something similar. You wonâ€™t be at risk unless you choose to download the MMS.
You shouldnâ€™t do this. If the MMS is from someone you donâ€™t know, definitely ignore it. If the MMS is from a friend, it would be possible their phone has been compromised if a worm does begin to take off. Itâ€™s safest to never download MMS messages if your phone is vulnerable.
To disable MMS message auto-retrieval, follow the appropriate steps for your messaging app.
- Messaging (built into Android): Open Messaging, tap the menu button, and tap Settings. Scroll down to the â€œMultimedia (MMS) messagesâ€� section and uncheck â€œAuto-retrieve.â€�
- Messenger (by Google): Open Messenger, tap the menu, tap Settings, tap Advanced, and disable â€œAuto retrieve.â€�
- Hangouts (by Google): Open Hangouts, tap the menu, and navigate to Settings > SMS. Uncheck â€œAuto retrieve SMSâ€� under Advanced. (If you donâ€™t see SMS options here, your phone isnâ€™t using Hangouts for SMS. Disable the setting in the SMS app you use instead.)
- Messages (by Samsung): Open Messages and navigate to More > Settings > More settings. Tap Multimedia messages and disable the â€œAuto retrieveâ€� option. This setting may be in a different spot on different Samsung devices, which use different versions of the Messages app.
Itâ€™s impossible to built a complete list here. Just open up the app you use to send SMS messages (text messages) and look for an option that will disable â€œauto retrieveâ€� or â€œautomatic downloadâ€� of MMS messages.
Warning: If you choose to download an MMS message, youâ€™re still vulnerable. And, as the Stagefright vulnerability isnâ€™t just an MMS message issue, this wonâ€™t completely protect you from every type of attack.