What is the Stagefright Vulnerability?
You might have heard that a researcher recently discovered security vulnerabilities that affect up to 95 percent of Google Android phones. If you own an Android phone, read on to learn more about the vulnerability, how it could affect you, and what you can do to keep your phone safe.
What is Stagefright Vulnerability?Stagefright is a media playback tool found in all Android phones. It helps devices process multimedia service content (MMS). Issues in Stagefright's code might allow attackers to exploit security vulnerabilities in the tool, potentially allowing an attacker to gain control of an infected Android device remotely, and to steal data from it. Stagefright is also the nickname for the bug that affects this tool.
So what is the Stagefright bug?Stagefright (the bug) is actually a set of seven vulnerabilities that reside within the Stagefright tool. Together, they potentially allow attackers to hack and steal data from devices without the victim knowing their device is being compromised.
How badly can a compromised device be exploited?An attacker can access to all of an affected device's data, and have the ability to copy or delete it at will. They could gain access to its Bluetooth, camera, and microphone and monitor, turning a victim's device into a spy camera against them. They can also access photos and videos. If an attacker exploits a device with Stagefright, they essentially take complete control of it, without ever alerting the victim.
How was Stagefright discovered?The Stagefright vulnerability was discovered by the security firm Zimperium. It was publicly announced on August 5, and remains a threat to a significant number of Android devices.
Is my Android device vulnerable?Odds are that it is. The Stagefright bug can potentially affect Android devices running Froyo 2.2 through Lollipop 5.1.1. This amounts to about 95 percent of Android devices. Although Google has since released a patch that addresses the vulnerability,
How does the Stagefright bug enter Android devices?An attacker can infect a device by sending a victim a MMS containing an exploit. There are a wide range of application that can process MMS content, giving attackers a wide range of options to compromise devices. Google Hangouts is perhaps the most vulnerable application, because it does not require users to open messages to process MMS data.
How easily can an attacker exploit my device?Very easily, unfortunately. Because the exploit involves only MMS, an attacker can target any device simply by knowing the phone number. And unlike most media-based exploits, the Stagefright exploit does not require the victim to open a message or a media file to compromise their device.
Where am I at risk?Anywhere. One of the more alarming aspects about the Stagefright vulnerability is that your device can be targeted wherever, whenever, so long as it is on. If an attacker has your phone number, they can execute the exploit.
Is Stagefright worse than other vulnerabilities?Yes. It is unique in that it can be implemented without input from the victim. In other words, most exploits work by tricking a victim into opening a message or file that contains a bug. With Stagefright, your device can be hacked while you sleep, or while you have it in your pocket.
What can I do to protect my device?Unfortunately, it might be some time before Android can release a patch to negate the threat posed by the Stagefright bug. In the meantime, there are several ways you can safeguard your device from an attack.
- Start by disabling auto-fetching of MMS messages on your devices default short message service (SMS) app. When a message contains a large amount of data, your device will automatically download that data even before you open a message. Disabling auto-fetching will prevent this.
- Check your device's default SMS app. You can check this by going to your device's Settings, then default applications, and finally messages. Even though Hangouts is one of the more vulnerable applications, it also allows you to easily disable auto-fetching. Switching to Hangouts and then disabling auto-fetching will allow you to prevent attackers from remotely hijacking your device.
Directions for disabling auto-fetching:If your default SMS app is Hangouts:
- First, open Hangout.
- Go to the top left corner and tap Options.
- Tap Settings, then SMS
- Under General, check to see if you has SMS Enabled.
- If you do, go to Advanced and uncheck Auto Retrieve MMS
- Start by opening Messages.
- Tap More, then Settings, then More Settings.
- Tap Multimedia Messages, and then turn Auto Retrieve off.
What else can I do to protect my devices?Zimperium, the firm that discovered the vulnerability, released an app that lets users check to see if their device is vulnerable. The app is available in the Android store. Samsung released an app that allows users to easily disable MMS on their devices. The app can be downloaded here. You might want to consider using browsers that are safe from Stagefright. The most recent version of Firefox for Android, for example, is safe from the bug.
What are Google & phone providers doing to address the issue?Google recently released a software update that contained a fix for the vulnerability. The update rectified issues from a previous attempt at patching the vulnerability that had failed. Google also plans to release an update that will prevent video messages from playing automatically as a preview, which was one way that an attacker could bypass having a victim click on a message to activate an exploit. Google estimates that 90 percent of Android devices are now protected from Stagefright vulnerability.
In summary:The Stagefright Vulnerability Bug is one of the biggest security issue ever discovered on mobile devices. If you do not take the steps needed to protect your device, you will be vulnerable to remote attacks that will allow attackers to access your phone's data at will, without you even having to open an infected message or file. To protect your device, make sure you:
- Keep your OS up to date. Download the latest Android system update immediately.
- Make sure auto-fetch for MMS is disabled on your device.
- Consider using a detection app to check if your device is vulnerable to a Stagefright attack.