July 28, 2015
Stagefright New Android Vulnerability
Update:
We have released a detector app to help you know whether your device is affected.
What is Stagefright?
Yesterday a security researcher revealed a series of high-severity vulnerabilities related to Stagefright, a native Android media player, that affect nearly all Android devices in the world. The Stagefright vulnerabilities carry serious security implications: an attacker could exploit them to remotely control and steal data from a device by sending a victim a multimedia message (MMS) packaged with an exploit.
Any number of applications can process MMS content and thereby receive exploits, but devices using Google Hangouts for this purpose may be most at risk since a victim may not even need to open the message in Hangouts for an attacker to take control of their device. In all other hypothetical attacks it appears a victim needs to open their default SMS messaging app and the message thread itself for the exploit to work (although the media file does not necessarily need to be played within the app).
Based on Lookout’s own Stagefright research over the last 24 hours it also appears that multimedia viewed in a browser (e.g. a web video) could be used to deliver a Stagefright attack.
The Stagefright vulnerabilities affect all Android devices running Froyo 2.2 to Lollipop 5.1.1, which covers approximately 95% of all Android devices today. The security researcher who discovered these vulnerabilities first alerted Google to this issue in April and included security patches. Google has accepted the patches and sent security updates to its partners to be distributed to vulnerable devices.
Lookout’s Protection
Lookout protects devices from malware delivered using Stagefright exploits. Keep in mind that a device will remain vulnerable until it receives Google’s patches for these vulnerabilities. Android devices other than Nexus devices will ultimately need to get these patches through a Google partner (either a device manufacturer or wireless carrier). Nexus devices, however, will receive a direct security update from Google next week, according to a Google spokesperson.
Unfortunately, security patches delivered by Google’s partners can take weeks and even months to fully deploy. To check if a patch is available for most Android devices, go to Settings and click System Updates. In the meantime, Android users waiting on Stagefright security patches can take additional steps on their device to protect themselves.
Additional Protection
As an added protection measure, Lookout recommends disabling auto-fetching of MMS messages on a device’s default SMS app.
When an Android device receives a video message via SMS, by default it will automatically download the file. Therefore, disabling auto-fetching prevents an attacker from getting a device to automatically download a malicious video containing Stagefright exploits, which allows the user to delete the message and avoid device exploitation.
A device’s default SMS app may be “Hangouts”, or it may be a version of a native Android app variously named “Messages”, “Messaging”, or “Messenger”, depending on the device model and Android version. To determine your device's default SMS app, go to Settings > Default applications > Messages.
We’ve included walk-through instructions below that show how to disable MMS auto-fetching for the four messaging apps listed above. If a device uses a different default SMS app, Lookout recommends disabling MMS auto-fetching within that app or switching to an app such as Hangouts that allows this feature to be disabled. Lookout users can contact Lookout support if they need help disabling MMS auto-fetching.
While these instructions will make it harder for a device to be exploited via MMS, Lookout encourages Android users to exercise caution when viewing videos displayed on untrusted websites or included in messages from unknown senders.
Instructions for disabling auto-fetching of MMS for Hangouts:
First, open Hangouts, then, tap on the menu button in the upper left corner.
Then tap “Settings”.
Then tap “SMS”.
(Note: If SMS is not listed here then a device does not use Hangouts for retrieving SMS/MMS and the user should instead disable auto-fetching of MMS for the relevant application.)
Then scroll down and uncheck “Auto retrieve MMS”.
Instructions for disabling auto-fetching of MMS for Messages:
First, open Messages, then, tap on the menu button in the upper right corner.
Then tap “Settings”.
Then tap “Multimedia message (MMS)”.
Then uncheck “Auto retrieve”.
Instructions for disabling auto-fetching of MMS for Messaging:
First, open Messaging, then, tap on the menu button in the bottom right corner.
Then tap “Settings”.
Then scroll down and uncheck “Auto-retrieve”.
Instructions for disabling auto-fetching of MMS for Messenger:
First, open Messenger, then, tap on the menu button in the upper right corner.
Then tap “Settings”.
Then tap “Advanced”.
Then disable “Auto-retrieve”.
In short, Lookout recommends leaving MMS auto-fetching disabled until a device is patched. If a system update is pushed to your device, you should install it at your earliest convenience. You can continue to follow the Lookout blog to stay up to date on this issue.