What is Stagefright?
Yesterday a security researcher revealed a series of high-severity vulnerabilities related to Stagefright, a native Android media player, that affect nearly all Android devices in the world. The Stagefright vulnerabilities carry serious security implications: an attacker could exploit them to remotely control and steal data from a device by sending a victim a multimedia message (MMS) packaged with an exploit.
The Stagefright vulnerabilities affect all Android devices running Froyo 2.2 to Lollipop 5.1.1, which covers approximately 95% of all Android devices today. The security researcher who discovered these vulnerabilities first alerted Google to this issue in April and included security patches. Google has accepted the patches and sent security updates to its partners to be distributed to vulnerable devices.
Protect Yourself Now!
As an added protection measure, Lookout recommends disabling auto-fetching of MMS messages on a device’s default SMS app.
When an Android device receives a video message via SMS, by default it will automatically download the file. Therefore, disabling auto-fetching prevents an attacker from getting a device to automatically download a malicious video containing Stagefright exploits, which allows the user to delete the message and avoid device exploitation.
A device’s default SMS app may be “Hangouts”, or it may be a version of a native Android app variously named “Messages”, “Messaging”, or “Messenger”, depending on the device model and Android version. To determine your device’s default SMS app, go to Settings > Default applications > Messages.
While these instructions will make it harder for a device to be exploited via MMS, Lookout encourages Android users to exercise caution when viewing videos displayed on untrusted websites or included in messages from unknown senders.