Android has a massive security bug in a component known as “Stagefright.” Just receiving a malicious MMS message could result in your phone being compromised. It’s surprising we haven’t seen a worm spreading from phone to phone like worms did in the early Windows XP days — all the ingredients are here.
It’s actually a bit worse than it sounds. The media has largely focused on the MMS attack method, but even MP4 videos embedded in web pages or apps could compromise your phone or tablet.
Some commentators have called this attack “Stagefright,” but it’s actually an attack on a component in Android named Stagefright. This is a multimedia player component in Android. It has a vulnerability that can be exploited — most dangerously via an MMS, which is a text message with embedded multimedia components.
Many Android phone manufacturers have unwisely chosen to give Stagefright system permissions, which is one step below root access. Exploiting Stagefright allows an attacker to run arbtirary code with either the “media” or “system” permissions, depending on the how the device is configured. System permissions would give the attacker basically complete acess to their device. Zimperium, the organization that discovered and reported the issue, offer more details.
Typical Android text messaging apps automatically retrieve incoming MMS messages. This means you could be compromised just by someone sending you a message over the telephone network. With your phone compromised, a worm using this vulnerability could read your contacts and send malicious MMS messages to your contacts, spreading like wildfire like the Melissa virus did back in 1999 using Outlook and email contacts.
Initial reports focused on MMS because that was the most potentially dangerous vector Stagefright could take advantage of. But it’s not just MMS. As Trend Micro pointed out, this vulnerability is in the “mediaserver” component and a malicious MP4 file embedded on a web page could exploit it — yes, just by navigating to a web page in your web browser. An MP4 file embedded in an app that wants to exploit your device could do the same.
Your Android device is probably vulnerable. Ninety-five percent of Android device in the wild are vulnerable to Stagefright.
To check for sure, install the Stagefright Detector App from Google Play. This app was made by Zimperium, which discovered and reported the Stagefright vulnerability. It will check your device and tell you whether Stagefright has been patched on your Android phone or not.
As far as we know, Android antivirus apps won’t save you from Stagefright attacks. They don’t necessarily have enough system permissions to intercept MMS messages and interfering with system components. Google also can’t update the Google Play Services component in Android to fix this bug, a patchwork solution Google often employs when security holes show up.
To really prevent yourself from being compromised, you need to prevent your messaging app of choice from downloading and launching MMS messages. In general, this means disabling the “MMS auto-retrieval” setting in its settings. When you receive an MMS message, it won’t automatically download — you’ll have to download it by tapping a placeholder or something similar. You won’t be at risk unless you choose to download the MMS.
You shouldn’t do this. If the MMS is from someone you don’t know, definitely ignore it. If the MMS is from a friend, it would be possible their phone has been compromised if a worm does begin to take off. It’s safest to never download MMS messages if your phone is vulnerable.
To disable MMS message auto-retrieval, follow the appropriate steps for your messaging app.
It’s impossible to built a complete list here. Just open up the app you use to send SMS messages (text messages) and look for an option that will disable “auto retrieve” or “automatic download” of MMS messages.
Warning: If you choose to download an MMS message, you’re still vulnerable. And, as the Stagefright vulnerability isn’t just an MMS message issue, this won’t completely protect you from every type of attack.
Rather than attempting to work around the bug, it would be better if your phone just received an update that fixed it. Unfortunately, the Android update situation is currently a nightmare. If you have a recent flagship phone, you can probably expect an upgrade at some point — hopefully. If you have an older phone, especially a lower-end phone, there’s a good chance you’ll just never receive an update.
Google also told Ars Technica that “the most popular Android devices” would be getting the update in August, including:
Motorola has also announced it will be patching its phones with updates beginning in August, including the Moto X (1st and 2nd generation), Moto X Pro, Moto Maxx/Turbo, Moto G (1st, 2nd, and 3rd generation), Moto G with 4G LTE (1st and 2nd generation), Moto E (1st and 2nd generation), Moto E with 4G LTE (2nd generation), DROID Turbo, and DROID Ultra/Mini/Maxx.
Google Nexus, Samsung, and LG have all committed to updating their phones with security updates once per month. However, this promise only really applies to flagship phones and would require carriers cooperate. It’s unclear how well this would work out. Carriers could potentially stand in the way of these updates, and this still leaves a large number — thousands of different models — of in-use phones without the update.
CyanogenMod is a third-party custom ROM of Android often used by enthusiasts. It brings a current version of Android to devices that manufacturers have stopped supporting. This isn’t really the ideal solution for the average person as it requires unlocking your phone’s bootloader. But, if your phone is supported, you can use this trick to get a current version of Android with current security updates. It’s not a bad idea to install CyanogenMod if your phone is no longer being supported by its manufacturer.
CyanogenMod has fixed the Stagefright vulnerability in the nightly versions, and the fix should make it to the stable version soon via an OTA update.
This is just one of the many security holes old Android devices build up, sadly. It’s just a particularly bad one that’s getting more attention. The majority of Android devices — all devices running Android 4.3 and older — have a vulnerable web browser component, for example. This will never be patched unless the devices upgrade to a newer version of Android. You can help protect yourself against it by running Chrome or Firefox, but that vulnerable browser will forever be on those devices until they’re replaced. Manufacturers aren’t interested in keeping them updated and maintained, which is why so many people have turned to CyanogenMod.
Google, Android device manufacturers, and cellular carriers need to get their act in order, as the current method of updating — or rather, not updating — Android devices is leading to an Android ecosystem with devices building up holes over time. This is why iPhones are more secure than Android phones — iPhones actually get security updates. Apple has committed to updating iPhones for longer than Google (Nexus phones only), Samsung, and LG are comitting to upgrade their phones, too.
You’ve probably heard that using Windows XP is dangerous because it’s no longer being updated. XP will continue to build up security holes over time and become more and more vulnerable. Well, using most Android phones is the same way — they aren’t receiving security updates either.
Some exploit mitigations could help prevent a Stagefright worm from taking over millions of Android phones. Google argues that ASLR and other protections on more recent versions of Android help prevent Stagefright from being attacked, and this does seem to be partially true.
Some cellular carriers also appear to be blocking potentially malicious MMS message on their end, preventing them from ever reaching vulnerable phones. This would help prevent a worm from spreading via MMS messages, at least on carriers taking action.
Image Credit: Matteo Doni on Flickr