Believed to be the worst Android vulnerability yet discovered, the “Stagefright” bug exposes nearly 1 billion Android devices to malware.
This malware is delivered by a multimedia message sent via Google Hangouts. This exploit is considered extremely dangerous because the victim is not required to take any action and there are no apparent effects. The attacker can execute the code and remove any signs that the device has been compromised before the owner is even aware.
Only the barest details have been released, but Nikolaos Chrysaidos, Mobile Malware Analyst for Avast says, “From what we know about the vulnerability, this sounds like a very targeted attack. The attacker would need to know the victim’s phone number.”
The purpose is to steal the user’s data, access photos, Bluetooth, or hijack the phone’s microphone and camera. That might not sound too menacing for you or me, but if a top government official or company president were attacked, the repercussions could be devastating.
“This vulnerability does sound dangerous in that there is not much the user can do to protect himself”, said Chrysaidos.
Zimperium zLabs VP, Joshua Drake, found the bug and will present his research at Black Hat USA and DEF CON 23 in August. Drake and his team reported the vulnerabilities to Google along with patches. Their company blog reports that “Google acted promptly and applied the patches to internal code branches within 48 hours, but unfortunately that’s only the beginning of what will be a very lengthy process of update deployment.”
How to protect yourself from Stagefright
“We recommend users disable “auto retrieve MMS” within their Hangouts settings, as a precautionary measure at the moment”, said Chrysaidos.
Comprehensive fixes need to be provided by your phone’s manufacturer in an over-the-air (OTA) firmware update for Android versions 2.2 and on. Unfortunately, updates for Android devices have historically taken a long time to reach users. But, maybe this time manufacturers are responding quicker. HTC told Time “Google informed HTC of the issue and provided the necessary patches, which HTC began rolling into projects in early July. All projects going forward contain the required fix.”
“This is yet another reason to not share your phone number on social media platforms or the Internet, so strangers cannot simply send you malicious texts”, said Chrysaidos. “We look forward to learning more details about the vulnerability when it is announced at BlackHat.”