| Researchers July 28, 2015


July 28, 2015

What you need to know about the new Android vulnerability, “Stagefright"

By Lookout

Update: We have released a detector app to help you know whether your device is affected. Learn more here.
What is Stagefright?
Yesterday a security researcher revealed a series of high-severity vulnerabilities related to Stagefright, a native Android media player, that affect nearly all Android devices in the world. The Stagefright vulnerabilities carry serious security implications: an attacker could exploit them to remotely control and steal data from a device by sending a victim a multimedia message (MMS) packaged with an exploit.
Any number of applications can process MMS content and thereby receive exploits, but devices using Google Hangouts for this purpose may be most at risk since a victim may not even need to open the message in Hangouts for an attacker to take control of their device. In all other hypothetical attacks it appears a victim needs to open their default SMS messaging app and the message thread itself for the exploit to work (although the media file does not necessarily need to be played within the app).
Based on Lookout’s own Stagefright research over the last 24 hours it also appears that multimedia viewed in a browser (e.g. a web video) could be used to deliver a Stagefright attack.
The Stagefright vulnerabilities affect all Android devices running Froyo 2.2 to Lollipop 5.1.1, which covers approximately 95% of all Android devices today.  The security researcher who discovered these vulnerabilities first alerted Google to this issue in April and included security patches. Google has accepted the patches and sent security updates to its partners to be distributed to vulnerable devices.
Lookout’s Protection
Lookout protects devices from malware delivered using Stagefright exploits. Keep in mind that a device will remain vulnerable until it receives Google’s patches for these vulnerabilities.  Android devices other than Nexus devices will ultimately need to get these patches through a Google partner (either a device manufacturer or wireless carrier). Nexus devices, however, will receive a direct security update from Google next week, according to a Google spokesperson.
Unfortunately, security patches delivered by Google’s partners can take weeks and even months to fully deploy.  To check if a patch is available for most Android devices, go to Settings and click System Updates. In the meantime, Android users waiting on Stagefright security patches can take additional steps on their device to protect themselves.
Additional Protection
As an added protection measure, Lookout recommends disabling auto-fetching of MMS messages on a device’s default SMS app.
When an Android device receives a video message via SMS, by default it will automatically download the file. Therefore, disabling auto-fetching prevents an attacker from getting a device to automatically download a malicious video containing Stagefright exploits, which allows the user to delete the message and avoid device exploitation.
A device’s default SMS app may be “Hangouts”, or it may be a version of a native Android app variously named “Messages”, “Messaging”, or “Messenger”, depending on the device model and Android version. To determine your device's default SMS app, go to Settings > Default applications > Messages.
We’ve included walk-through instructions below that show how to disable MMS auto-fetching for the four messaging apps listed above. If a device uses a different default SMS app, Lookout recommends disabling MMS auto-fetching within that app or switching to an app such as Hangouts that allows this feature to be disabled. Lookout users can contact Lookout support if they need help disabling MMS auto-fetching.
While these instructions will make it harder for a device to be exploited via MMS, Lookout encourages Android users to exercise caution when viewing videos displayed on untrusted websites or included in messages from unknown senders.
Instructions for disabling auto-fetching of MMS for Hangouts:
First, open Hangouts, then, tap on the menu button in the upper left corner:
SF1 Then tap “Settings”:
SF2 Then tap “SMS”:
SF3
(Note: If SMS is not listed here then a device does not use Hangouts for retrieving SMS/MMS and the user should instead disable auto-fetching of MMS for the relevant application.)
Then scroll down and uncheck “Auto retrieve MMS”:
SF4
Instructions for disabling auto-fetching of MMS for Messages:  
First, open Messages, then, tap on the menu button in the upper right corner:
SF5
Then tap “Settings”:
SF6
Then tap “Multimedia message (MMS)”:
SF7
Then uncheck “Auto retrieve”:
SF8  
Instructions for disabling auto-fetching of MMS for Messaging:
First, open Messaging, then, tap on the menu button in the bottom right corner:
SF9
Then tap “Settings”:
SF10
Then scroll down and uncheck “Auto-retrieve”
SF11
Instructions for disabling auto-fetching of MMS for Messenger:
First, open Messenger, then, tap on the menu button in the upper right corner:
SF12
Then tap “Settings”:
SF13
Then tap “Advanced”:
SF14
Then disable “Auto-retrieve”:
SF15
In short, Lookout recommends leaving MMS auto-fetching disabled until a device is patched. If a system update is pushed to your device, you should install it at your earliest convenience. You can continue to follow the Lookout blog to stay up to date on this issue.

Author

Lookout

Leave a comment

Submit


57 comments


nicole says:

March 11, 2017 at 9:38 pm

what kind of web video s affected by stagefright bug ? can u give a list of untrusted site affected by the stagefright bug?


Scott Moser says:

January 12, 2016 at 2:06 pm

When will this fix ever come out? It's been months, its beginning to look like a scam!


Nettie says:

December 24, 2015 at 2:24 pm

Clearly I am having some type of virus issue. Please cirrect it on my page and my friends page Lori Patriarch. These messages are shiwing up in grey!! It's embarrassing!!


Meghan Kelly says:

December 28, 2015 at 10:16 am

Hi Nettie, Unfortunately we cannot control what is posted on your Facebook account. I would reach out to Facebook's customer support and mark the posts in question as spam. If they are showing up in grey, however, there's a chance that Facebook has already marketed them as spam and you can delete them! Check out this article from Facebook's Help Center: https://www.facebook.com/help/212854178736287 Hope this helps!


Ioannis says:

December 01, 2015 at 3:32 pm

Thank you very much. Keep up the Great Work!


Randy Blanks says:

November 18, 2015 at 8:44 am

Thanks for the information you provide it's been helpful.


+ Load more comments