A series of bugs and security loopholes in the Android operating system could allow hackers to take control of up to 95% of Android smartphones simply by sending an MMS message with malware attached.
What is the Stagefright bug?
Stagefright is the name of the Android operating system’s media library, which the bug is named after. It affects all Android devices running version 2.2 and up and there is currently no patch. The recipient doesn’t even have to open the message. By default the Android operating system downloads unread messages, triggering the malware. An attacker could send the MMS with malware attached, take control of the phone and delete it before the user is any wiser.
When will the bug be resolved?
The mobile security company Zimperium Labs discovered the flaw and alerted Google in April. Google is working on a patch for its Nexus devices, but it won’t be available until next week. For other device manufacturers, it could take a lot longer.
Very few manufacturers run vanilla Android on their devices. Most devices have customized software that will require testing. Google will provide the software fix to the manufacturer, which then must test the update on their devices. The manufacturer will apply the update to the base version of their OS, then test each individual product line. After the manufacturer is finished, they send the update to the wireless carrier. Sometimes carriers do their own testing before pushing the update out to users. It could be weeks or months before non-Nexus devices see an update. The cost of testing means some older devices may never get it.
What can you do to protect your device now?
The key to protecting your smartphone is preventing the device from automatically downloading MMS messages from the server. Open your default messaging app and press the Menu button. Select Settings and look for an “Auto-retrieve” checkbox. Some devices may have the option under “Advanced settings.” Unchecking this box will stop the device from downloading the messages, allowing you to delete messages from any numbers you don’t recognize before you open them. If you can’t find the setting, contact your wireless carrier or device manufacturer for assistance.
Is Stagefright the only vulnerable part of the Android OS?
There are no confirmed cases of hackers using it, but the sheer number of vulnerable devices makes this a major security flaw. Zimperium Labs indicated in a blog post that others had previously uncovered bugs in Stagefright, and that it is possible the bug could be in use.