It has recently been discovered that Stagefright, the nickname of a media library in a portion of Android’s open source code, has a large vulnerability that puts 95% of Android devices at risk for being hacked. Because the Stagefright library deals primarily with the interpretation of MMS content, attackers have been able to infect devices by simply sending a malicious MMS message. The most terrifying part about this is that most users don’t even have to open the message to be hacked. Once the attacker sends the message and the intended person receives it, the user has no control over what personal information (pictures, data, camera, microphone) is being accessed. In some cases, attackers have been able to delete all traces of an attack to make the user completely unaware that they were hacked.
The bugs were reportedly fixed with patches by Zimperium zLabs (the leader in mobile threat protection), but they have not been implemented across the board. This is mainly due to Google’s Android ecosystem, which relies on partnering phone manufacturers to deliver the patches to users through software updates. This means that some of the biggest names in the industry are lagging behind (Samsung, HTC, and LG to name a few) and it may be weeks before the new updates trickle down. Unfortunately, software updates are no longer eligible for users who have older Android devices, and access to the patch is not available at all if users have handsets from makers that aren’t official partners with Google.
Zimperium has stated that this and other vulnerabilities targeting media and system privileges in Stagefright are being identified. For our clients with Android devices the most important way to avoid being hacked is to always be sure that your device is updated to the latest version. You can also reduce your risk by disabling auto-fetching of MMS for which there are many helpful “how-to” videos and tutorials.