This is really bad. It’s not that there’s another security bug in Android – all devices have security bugs. What’s really bad is that there won’t be a fix for your phone for a long, long time. If ever.
Before you panic, let’s look at what the problem is. You aren’t totally without options…
Security researchers have found that 95% of Android devices running version 2.2 to 5.1 of operating system, which includes Lollipop and KitKat, are vulnerable to a security bug, affecting more than 950 Million Android smartphones and tablets.
Almost all Android smart devices available today are open to attack that could allow hackers to access the vulnerable device without the owners being aware of it, according to Joshua Drake, vice president of platform research and exploitation at security firm Zimperium.
The vulnerability actually resides in a core Android component called “Stagefright,” a multimedia playback library used by Android to process, record and play multimedia files such as PDFs.
A Text Message Received…Your Game is Over
The sad news for most of the Android users is that the fix will not help Millions of Android users that owned older versions of the operating system that Google no longer supports, opening doors for hackers to perform Stagefright attack.
Drake has developed and published a scary exploit that uses a specially crafted text message using the multimedia message (MMS) format.
All a hacker needs is the phone number of the victim’s Android device. The hacker could then sends the malicious message that will surreptitiously execute malicious code on the vulnerable device with no end user action, no indication, nothing required.
“These vulnerabilities are extremely dangerous because they do not require that the victim take any action to be exploited,” reads the Zimperium blog post published Monday.
“Unlike spear-phishing, where the victim needs to open a PDF file or a link sent by the attacker, this vulnerability can be triggered while you sleep. Before you wake up, the attacker will remove any signs of the device being compromised, and you will continue your day as usual—with a trojaned phone.”
The industry convention for finding security bugs (when found by reputable researchers such as Zimperium) is 90 days private knowledge between researcher and affected company. Then it goes public. Google heavily enforces this 90-day grace period against companies’ software it finds security holes. But Google didn’t make the 90-day silent period.
Unlike Apple who can issue a patch to all of its devices whenever it wants, Android is completely fragmented across devices and service providers. This means companies have to work together to propagate updates. Sometimes that can take a long time.
What can you do
Nexus, Firefox and Silent Circle phones are already patched. If you don’t have one of those phones, there are a few things you can do to protect yourself from this problem:
- Try asking your device vendor whether a patch is available already. You may be able to get ahead of the game.
- If you can’t get a patch right now, find out when to expect it so that you can apply it as soon as you can.
- If your messaging app supports it (Messaging and Hangouts both do), turn off Automatically retrieve MMS messages.
- If your device supports it, consider blocking messages from unknown senders if you haven’t already.
- If your SMS/MMS app doesn’t allow you to turn off Automatically retrieve messages, consider simply switching back to Android Messaging, which does.
- After auto-retrieve is off, never open an MMS message from someone you don’t know
- Acquire malware protection software for your phone. You have it for your computer already. By a staggering coincidence, Zimperium offers phone threat protection software that protects against this particular vulnerability. But this appears to be an enterprise solution only.
- Buy an iPhone whose security update procedures are much more streamlined