July 28, 2015

What you need to know about the new Android vulnerability, “Stagefright”

Update: We have released a detector app to help you know whether your device is affected. Learn more here.

What is Stagefright?

Yesterday a security researcher revealed a series of high-severity vulnerabilities related to Stagefright, a native Android media player, that affect nearly all Android devices in the world. The Stagefright vulnerabilities carry serious security implications: an attacker could exploit them to remotely control and steal data from a device by sending a victim a multimedia message (MMS) packaged with an exploit.

Any number of applications can process MMS content and thereby receive exploits, but devices using Google Hangouts for this purpose may be most at risk since a victim may not even need to open the message in Hangouts for an attacker to take control of their device. In all other hypothetical attacks it appears a victim needs to open their default SMS messaging app and the message thread itself for the exploit to work (although the media file does not necessarily need to be played within the app).

Based on Lookout’s own Stagefright research over the last 24 hours it also appears that multimedia viewed in a browser (e.g. a web video) could be used to deliver a Stagefright attack.

The Stagefright vulnerabilities affect all Android devices running Froyo 2.2 to Lollipop 5.1.1, which covers approximately 95% of all Android devices today.  The security researcher who discovered these vulnerabilities first alerted Google to this issue in April and included security patches. Google has accepted the patches and sent security updates to its partners to be distributed to vulnerable devices.

Lookout’s Protection

Lookout protects devices from malware delivered using Stagefright exploits. Keep in mind that a device will remain vulnerable until it receives Google’s patches for these vulnerabilities.  Android devices other than Nexus devices will ultimately need to get these patches through a Google partner (either a device manufacturer or wireless carrier). Nexus devices, however, will receive a direct security update from Google next week, according to a Google spokesperson.

Unfortunately, security patches delivered by Google’s partners can take weeks and even months to fully deploy.  To check if a patch is available for most Android devices, go to Settings and click System Updates. In the meantime, Android users waiting on Stagefright security patches can take additional steps on their device to protect themselves.

Additional Protection

As an added protection measure, Lookout recommends disabling auto-fetching of MMS messages on a device’s default SMS app.

When an Android device receives a video message via SMS, by default it will automatically download the file. Therefore, disabling auto-fetching prevents an attacker from getting a device to automatically download a malicious video containing Stagefright exploits, which allows the user to delete the message and avoid device exploitation.

A device’s default SMS app may be “Hangouts”, or it may be a version of a native Android app variously named “Messages”, “Messaging”, or “Messenger”, depending on the device model and Android version. To determine your device’s default SMS app, go to Settings > Default applications > Messages.

We’ve included walk-through instructions below that show how to disable MMS auto-fetching for the four messaging apps listed above. If a device uses a different default SMS app, Lookout recommends disabling MMS auto-fetching within that app or switching to an app such as Hangouts that allows this feature to be disabled. Lookout users can contact Lookout support if they need help disabling MMS auto-fetching.

While these instructions will make it harder for a device to be exploited via MMS, Lookout encourages Android users to exercise caution when viewing videos displayed on untrusted websites or included in messages from unknown senders.

Instructions for disabling auto-fetching of MMS for Hangouts:

First, open Hangouts, then, tap on the menu button in the upper left corner:

SF1

Then tap “Settings”:

SF2

Then tap “SMS”:

SF3

(Note: If SMS is not listed here then a device does not use Hangouts for retrieving SMS/MMS and the user should instead disable auto-fetching of MMS for the relevant application.)

Then scroll down and uncheck “Auto retrieve MMS”:

SF4

Instructions for disabling auto-fetching of MMS for Messages:  

First, open Messages, then, tap on the menu button in the upper right corner:

SF5

Then tap “Settings”:

SF6

Then tap “Multimedia message (MMS)”:

SF7

Then uncheck “Auto retrieve”:

SF8

 

Instructions for disabling auto-fetching of MMS for Messaging:

First, open Messaging, then, tap on the menu button in the bottom right corner:

SF9

Then tap “Settings”:

SF10

Then scroll down and uncheck “Auto-retrieve”

SF11

Instructions for disabling auto-fetching of MMS for Messenger:

First, open Messenger, then, tap on the menu button in the upper right corner:

SF12

Then tap “Settings”:

SF13

Then tap “Advanced”:

SF14

Then disable “Auto-retrieve”:

SF15

In short, Lookout recommends leaving MMS auto-fetching disabled until a device is patched. If a system update is pushed to your device, you should install it at your earliest convenience. You can continue to follow the Lookout blog to stay up to date on this issue.

60 comments
  1. Luis M Gómez says:

    Muchas muchas gracias!

  2. Robert says:

    So with Lookout Premium Edition am I protected?

  3. Ian says:

    So should we expect that this virus will come from an unknown number or presume that it could potentially come from a trusted source?

  4. anonymouse says:

    Lookout protects devices from malware delivered using Stagefright exploits. Keep in mind that a device will remain vulnerable until it receives Google’s patches for these vulnerabilities. << Please clarify – Lookout can only detect viral payloads or can Lookout scan for find and eliminate StageFright itself after it's installed itself?

    • Meghan Kelly says:

      Hi there, Lookout cannot fix the vulnerability, unfortunately. It is a flaw in the software and you’ll need to wait for a patch from Google for it to be fixed. However, Lookout protects its users from malware that might be distributed using the Stagefright vulnerability.

  5. John says:

    Do we know if the update will be in the form of a new Android version like 5.1.2?

  6. Mohd Adnan says:

    Thanks so much for the tip to disable Auto-Fetch for MMS…

  7. Tom Parker says:

    Thanks so much for the helpful info. I was very anxious about Stagefright and your info and instructions should tide me over until LG makes the patch available.

  8. Sharon Shak says:

    I installed the Lookout Stagefright app, tapped on Settings and Default Applications. What appeared next was Home (TouchWiz home). “Messages” was in light print and could not be opened. What now?

  9. Thomas says:

    Grazie Mille. 🙂

  10. André Paradis says:

    Thank you guys… Easy to follow instructions.
    Note that the procedure has changed in Messages… Ver. 5.1.1

  11. Andrew says:

    My device is vulnerable to this new threat. I have attempted to follow the instructions provided. However, the detection app still says my phone is vulnerable. Please help.

  12. Peter McCaffrey says:

    If your Nexus phone is on Verizon, they do not allow google updates you need to wait for them to issue updates.

  13. Don says:

    My Messages does not have a Setting below the Font Size…What do I do? Also, Hangouts will not let me uncheck the MMS Auto-retrieve as it is greyed out. What do I do?

  14. Ellen says:

    Can this exploit still work if Hangouts is disabled (Android 5.1)? The app cannot be uninstalled, but I don’t use it.

  15. robin hardy says:

    Thanks for the heads up.

  16. Susie says:

    Please help – the commands in order to disable MMS auto-fetching do not appear in my settings in Messenger…I also use Message+ (Verizon)..is this also vulnerable (when I downloaded the App, I was advised that my device is vulnerable). Many thanks (I sent you an email too). Susie

  17. Ngalbdvm says:

    Thank you for this information and for taking such good care of us. 🙂

    Great information and simple steps for precaution.

  18. Lyn Johnson says:

    Thank u! Luv ur app! Happy place!

  19. Brenda says:

    What about the regular android messenger

  20. Jim Kozlowski says:

    Thank you Lookout for the valuable information. I’m glad I have you in my corner.

  21. Kossy says:

    I also use the verizon message+. How do I disable the auto download? I can’t find the proper settings menu. Thanks.

  22. Ana says:

    Thanks but in hangouts I can’t unchecked the MMS I’m scared that the virus already attacked my phone. Please help.

  23. Stephanie says:

    Since installing the Stagefright Detector app and following the instructions to disable auto-retrieval, my text messages with content time out very quickly. Sometimes the time out is the same minute the text was sent. I want to have this app, but having to ask for photos, etc to be sent again because of timing out is inconvenient and annoying. Can you help?

  24. Kesete says:

    If my mobile is affected how can remove the virous for it

  25. Droid user says:

    If i reset my android device?
    Will the stagefright bug be gone?

  26. Dawn says:

    I do not understand how to protect myself on this tablet. I am not able to find the area to go to disable this MMS thing or whatever it is I need to disable. Please can you help me.

  27. Starr says:

    I also tried the fix you recommend and only got touchwiz home with the Messages line grayed out and unabled to be opened. What to do?

  28. Teresa pitts says:

    I’m cannot not find hangout so it tried to install it and Google play comes up but it just isn’t am getting spam mess and very long codes saying it reset my password please help

  29. Teresa pitts says:

    Hangouts is downloaded but it’s hidden and has my contacts on it and it did not put them there is just figured that out

  30. Tammie says:

    How do you know what the default is in messaging. Also why would my phone have a code name? I came across this under your application when it scanned my device. Also why did it just say Samsung fora device? I have one of the galaxys. Also there were letters after sghm919 which I have never seen before. Why would your application actually read a code name for my cell. I have never received an update from Google and my carrier is T-Mobile. So how will I receive the patch?
    Thank you,
    Tammie

  31. Manuel Robles says:

    2 questions
    1) If lookout is downloaded and working, what’s the point of “stage fright”?
    2) SMS vs MMS, is one preferred over the other? I did get a message from a company I do business with and it turned out to be an error message. Basically saying that I could not view the message from that business because my messenger was set to receive MMS and messages are only visible when us SMS, for security reasons.
    Can someone help me understand why this would be the case

  32. Teresa Pitts says:

    I know I am exposed I went to hangouts and I never use hangouts and all my contacts my profile and a long password I would have ever used .and it was grip mess and through time Warner with website that was not safe please help

  33. Teresa Pitts says:

    Please help they are on my phone

  34. Darrell Russell says:

    For those of you who check back, Verizon’s messaging system works like this: Click on the three lines at the top LEFT. Click ‘Settings”. Now scroll to the bottom and click ‘Advanced’. Once in there, scroll down towards the bottom of the page is a header titled, “Multimedia message (MMS) settings. There you will see Auto-Retrieve. Make sure that is unchecked. Now you’re done, so hit the home button.

  35. Austin says:

    I somehow feel unprotected but protected at the same time…

  36. Ibrahim says:

    My mobile is hakced so how to fix apart from disabling auto retrieve setting?

  37. I THANK YOU VERY MUCH LOOKOUT
    YOUR FEE 29$. FOR
    A HOLE YEAR OF
    PROTECTION IS A
    STEAL OF A DEAL.
    YOU HAVE EITHER
    FIXED THE PROBLEM
    OR HAVE GIVEN ME
    THE SOLUTION TO
    FIX IT MY SELF.

    THOUSANDS OF
    THANKS

    MLS

  38. Danyaal says:

    How come cyanogenmod doesnt get stagefright

  39. Russell says:

    So you guys advertise a malware warning. But all your post include a bit.ly link which tracks your ip, gives your information away and can give you spyware dependind on which link you are using. Nice troll lookout.

  40. Paul says:

    I don’t use these apps am I still exposed I have them on disable

  41. lect says:

    no look out you cant protect people from a eft343s exploit….this type of protection will be free for now…..ongoing protection will be subscription

  42. me says:

    I’ve followed your instructions above put my device doesn’t show any of what you have stated. Help

  43. Joey says:

    “My device is vulnerable to this new threat. I have attempted to follow the instructions provided. However, the detection app still says my phone is vulnerable. Please help.” [2]

  44. nicky says:

    Good advice I like it alot

  45. Barny says:

    How do I get the patch from Google?

  46. Dara says:

    Does stagefright make all apps not respond on a device?

  47. Anonymous says:

    Apparently my device isn’t affected if the app tells the truth… Yet it is running lollipop 5.0.2. Didn’t it say ALL devices from 2.2 to 5.1.1…

  48. Lnkmeup82 says:

    Cyanogenmod does use Stagefright and it’s been patched: https://plus.google.com/+CyanogenMod/posts/7iuX21Tz7n8

  49. I want to thank everyone at the lookout company if it was not for lookout I wouldn’t have a phone I have a lot a lot of things bad on my phone lookout has been right there for me I want to thank you for all your help and support I really appreciate it thanks….

  50. Sebastian says:

    The “stagefright” does not fix the vulnerability it only tells you if it is possible, disabling the auto fetch of mms messages only help prevent auto download of the malicious software, it does not apply a patch to protect against the vulnerability
    Thank you all

  51. Linus Hollis says:

    Coolpad & many other devices have no way to lockout video downloads from SMS or FB’s messenger. Simply not available.

  52. Kamal says:

    Someone or something keeps turning down the volume on my device. What can i do

  53. Randy Blanks says:

    Thanks for the information you provide it’s been helpful.

  54. Ioannis says:

    Thank you very much. Keep up the Great Work!

  55. Nettie says:

    Clearly I am having some type of virus issue. Please cirrect it on my page and my friends page Lori Patriarch. These messages are shiwing up in grey!! It’s embarrassing!!

    • Meghan Kelly says:

      Hi Nettie, Unfortunately we cannot control what is posted on your Facebook account. I would reach out to Facebook’s customer support and mark the posts in question as spam. If they are showing up in grey, however, there’s a chance that Facebook has already marketed them as spam and you can delete them! Check out this article from Facebook’s Help Center: https://www.facebook.com/help/212854178736287

      Hope this helps!

  56. Scott Moser says:

    When will this fix ever come out? It’s been months, its beginning to look like a scam!

  57. nicole says:

    what kind of web video s affected by stagefright bug ?
    can u give a list of untrusted site affected by the stagefright bug?

Leave a comment