Categories
Computer & Network Security>Android|Compliance>Privacy

Android Security Flaw: Stagefright – What You Need to Know

Update: As of Thursday, August 6th, 2015, Google and some phone carriers are pushing out a security fix to address this vulnerability. Source: http://www.zdnet.com/article/after-stagefright-samsung-and-lg-join-google-with-monthly-android-patches/

What is StageFright?

Stagefright is a remotely exploitable software bug in Android that can allow an attacker to perform arbitrary operations on the affected device through remote code execution and privilege escalation.  This flaw currently affects versions 2.2 and newer of the Android operating system. Source: http://arstechnica.com/security/2015/07/950-million-android-phones-can-be-hijacked-by-malicious-text-messages/

How Can This Affect Me?

An attacker can send specially crafted MMS (multimedia) text messages to the victim device, which require no end-user actions upon receipt, for the vulnerability to succeed.  The victim’s phone number is the only target information an attacker would require.  In other words, someone can send you a text message and without any interaction from you it can allow the attacker to take control of your phone.

What Can I Do About It?

There are currently some mitigations users can put into place for unpatched devices, including disabling the automatic retrieval of MMS messages, and/or blocking the reception of text messages from unknown senders.  Additional mitigation comes from some of the security features built into newer versions of Android that may help in making exploitation of the Stagefright bug more difficult; thus, updating to the latest version of Android may also help alleviate the issue.

Additionally, firms should set minimum standard for allowed Android devices to account for software updates.

Additional Details:

The Stagefright bug was reported the bug to Google in April 2015, and was publicly announced on July 27, 2015.  Fortunately, Google is currently working on a patch for the Stagefright vulnerability; however, there are often long delays in propagating patches to end-user devices due to a large fragmentation between the manufacturers, device variants, Android versions, and various Android customizations performed by the manufacturers.  Furthermore, Google maintains the Android’s firmware updates for carrier devices are the responsibility of wireless carriers and original equipment manufacturers (OEMs).