According to a blog post by Imperium Mobile Security, devices running Android are currently highly vulnerable to an exploit using Stagefright. In the following I’ll quickly explain what the Stagefright exploit does and how you can protect yourself from harm.
What is the Stagefright exploit?
Many Android messaging apps such as Hangouts, by design, are automatically downloading media files send via the MMS protocol. Media files may contain malicious code which is executed without the user opening the video or image. Exploits like this are usually protected by Android’s “sandboxing”. This means that apps are usually only able to interact within certain limits and cannot access the full system. However, the Stagefright exploit might be able to gain root access and do potentially a lot of harm.
It is important to say that this bug is not related to MMS services, Hangouts or other Messaging apps. This is a deeply embedded bug of Stagefright in general. Currently, MMS is just the easiest way for hackers to exploit this bug without the user interacting with the media file. While many popular messaging services like WhatsApp don’t use MMS technology anymore, Android is designed to automatically download MMS files unless you disable it.
Who is vulnerable?
At the moment the majority of Android versions are vulnerable. Only the latest 5.1.1 builds might be secure. Please be aware that just because you’re potentially vulnerable, this does not automatically mean that you’re going to be a targeted. This exploit appears to be rather complicated and cannot be used by novice hackers.
I expect especially custom ROM developers to publish security fixes soon. In fact, CyanogenMod based ROMs have already fixed this exploit. For those of you currently not running a custom ROM, this might be the perfect start to look into this topic.
What can you do to protect yourself?
Unfortunately, protecting yourself 100% is not possible unless you run patched OS. However, there are a few things that you can do to minimise your risk:
– Disable automatic downloading of MMS messages. This can be done in both most messaging apps
– Use Firefox for mobile browsing as it runs code out of process
– Don’t accept messages from people you don’t know
– Avoid potentially vulnerable / dangerous websites
– Bonus: Consider switching to a custom ROM that already fixed the issue
Next to those fixes, Google is most-likely release a fix soon. This obviously also applies for other popular Android skins from manufacturers Like Samsung or LG.