In order to make it even easier for you to detect whether your Android device is vulnerable or not, we have launched an app that you can download directly from Google Play.
Black Hat and DEF CON, security researcher Joshua Drake published his findings about a vulnerability in the heart of Android that could allow attackers to steal information from Android devices through remotely executed code via a maliciously crafted MMS. According to the Zimperium zLabs researcher, up to 950 million devices could be vulnerable.
Since this was dubbed one of the biggest vulnerabilities ever, we’re summing up a quick FAQ about it in order to better understand this vulnerability, as well as show how to find out whether your Android device is vulnerable.
Is it really the worst of all Android vulnerabilities?
It is difficult to label a vulnerability as being the worst, because the basis for this attribution varies. For instance, the number of devices affected, ease of compromising, amount of exploits in the wild, etc. However, with 950 million users of Android devices potentially affected and after one failed attempted by Google to fix it, we should take this a bit more seriously than other, more commonplace vulnerabilities.
How does this vulnerability work and why is it called Stagefright?
Among the thousands of lines in the source code of Android, there is a media library called Stagefright that is in charge of managing multimedia formats that allow you to playback videos and music on your Android devices. An attacker could exploit this vulnerability by crafting a MMS with an exploit and send it to the victim. In this case, this could be a targeted attack based uniquely on the victim’s telephone number, which is the only information needed to send the crafted MMS. It depends on what application you use to visualize the MMS, as with regular Messenger the exploit will be executed only after seeing the MMS without playing the media. Using Hangout could be even worse, since the device would be compromised almost automatically even before you are able to see the notification.
What versions are vulnerable?
According to the investigation, all versions from Froyo (2.2) inclusive are vulnerable, which means 95 per cent of Android devices – or about 950 million users worldwide. In addition, versions prior to Jelly Bean are at higher risk, since they do not incorporate appropriate mitigations.
Additionally, keep in mind that Stagefright is actually composed of seven different vulnerabilities (plus one more reported on the first attempt to patch) that have been reported at this time. Google already released a first patch but researchers from Exodus already found a bug within the patch. Google released another patch to mitigate the vulnerabilities and confirmed that Nexus 4, 5, 6, 7, 9, 10 and Player will receive the new monthly security update in September.
The problem is: who will receive these patches? Users of devices such as the smartphone Nexus 6 can be sure that this update will be published as Google confirmed. The point is that other vendors may launch the patch only for their latest devices, but still leaving most of users without patches because neither vendors nor the operators are going to bother to release this update for devices considered obsolete.
Is your Android still vulnerable? Here’s what you can do
We recommend you to check with your vendor whether you already have a patch for your Android device. However, as we have seen this past week, even the patch could contain an additional bug. Therefore, we suggest you to check whether your device is vulnerable with the ESET Stagefright Detector App and stay alert for new information and if necessary request updates from your vendor to fix this issue.
Finally, we also recommend you to deactivate auto retrieve either under Advanced Settings in case of using Messenger or in Settings / SMS / Auto retrieve in case of Hangout.[su_box title=”About ESET” style=”noise” box_color=”#336588″]
ESET is a pioneer of proactive protection against cyber threats with its award-winning NOD32 technology. Daily, it protects over 100 million computers, laptops, smartphones, tablets and servers, no matter the operating system. ESET solutions for home and business segment deliver a continual and consistent level of protection against a vast array of existing and emerging threats.[/su_box]
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.