A Simple Text Puts 95% of Android Devices in the Hotseat

Earlier this week, a new vulnerability was discovered, potentially afflicting up to 950 million Android devices. This accounts for nearly all of active Android users. And what’s more shocking, it all started with a text message.

Allow me to introduce you to “Stagefright,” the latest vulnerability to make cybersecurity headlines. Stagefright, a security hole freshly discovered by a group of cybersecurity researchers, is being hailed as the next Heartbleed — a serious vulnerability that compromised most Internet users a year ago.

While Stagefright may not be as expansive as Heartbleed, it’s still a very severe vulnerability and shares some similarities with Heartbleed. Cybercriminals can easily use Stagefright to steal personal data stored on your smartphone, including contacts, photos, and other sensitive data. Like Heartbleed, Stagefright affects a very large number of people — up to 95 percent of Android users. And, much like Heartbleed, most users will have to wait for large organizations and device manufacturers to issue updates to fix the vulnerabilities.

So here’s the nitty-gritty:

Stagefright is the nickname for Android’s media library — a portion of the Android operating system responsible for how you interact with things like music and video on your device. This attack exploits a few weaknesses within that library, which is used by many other applications for viewing and rendering multimedia content. Some applications that handle communication on your device, such as SMS and MMS messages, use the library to load and run such median content sent over multimedia messaging services (MMSs).

MMSs are programs used to send and receive text, photo, video and audio messages, and are prevalent throughout mobile devices. Stagefright exploits those systems to deliver malicious code, which can then siphon data from a targeted device and perpetuate itself. We typically call this type of attack a computer worm.

According to researchers, cybercriminals needn’t do too much to successfully deploy the attack. All they need to do is to send a malicious text message to a vulnerable device – that is, any Android device running Android 2.2 or higher. In some cases, this vulnerability requires the user to open a multimedia message for the attack to be successful. In other cases, the act of merely receiving a message is enough to infect a device.

The fact that this vulnerability requires so little user input in order to deliver its payload is one of the reasons why it’s so dangerous. Another reason: it’ll take some time to fix.

While Google and a handful of Android device manufacturers have already pushed out updates fixing the Stagefright vulnerability, several other device manufacturers haven’t — or at least not yet. Since each Android device model is unique, it may take some time for manufacturers to create and distribute updates.

But that doesn’t mean Android users are completely helpless. There are a few tips and tricks users can implement to protect themselves from Stagefright attacks. Let’s take a look at a few now:

  • Turn off MMS messages. This isn’t necessarily convenient, but you should turn off your phone’s ability to automatically retrieve MMS messages so long as Stagefright poses a threat. Tap the “message” icon on your Android home screen. Then tap the three dots (or lines) in the upper right corner and scroll down to settings. Scroll until you see “MMS” and flip that switch to “off.” You can also go into certain apps themselves to adjust settings that might auto-load MMS attachments.
  • Update your phone. Many updates contain security fixes to previously unknown vulnerabilities on your devices. When you learn of a new software upgrade, or get an update notice, update your device. You’ve heard me say this before, but implementing updates as they become available is one of the best ways to protect your device from attacks like Stagefright.
  • Don’t open messages from strangers. Much like accepting candy from a stranger, don’t open or accept text messages from people you don’t know. Texts from unfamiliar numbers may be trying to infect your device with Stagefright or another unknown vulnerability.
  • Use comprehensive security software. Regardless of whether you’re on a mobile, laptop or desktop device, you’ll need to protect yourself from cybercriminals. That’s where our comprehensive security solutions, McAfee LiveSafe™ service, McAfee Mobile Security iOS and McAfee Mobile Security Android, come into play. These solutions help protect your devices from known vulnerabilities and other Internet threats.

To address the Stagefright vulnerability, on July 31, 2015, McAfee has issued a DAT signature capable of detecting and reporting certain vulnerabilities that could be present in video files. The solution is be able to detect infected video files that arrived on the device via web browsing, download, or message. In case the exploited video arrives on the device via MMS message, McAfee Mobile Security will also scan and detect it through its SMS/MMS scan feature. To learn more about McAfee Mobile Security, visit https://www.mcafeemobilesecurity.com.

And, of course, stay on top of the latest consumer and mobile security threats by following me and @McAfee_Home on Twitter, and Like us on Facebook.



Introducing McAfee+

Identity theft protection and privacy for your digital life

FacebookLinkedInTwitterEmailCopy Link

Stay Updated

Follow us to stay updated on all things McAfee and on top of the latest consumer and mobile security threats.


More from Mobile Security

Back to top