Say you consider yourself a pretty savvy, security-conscious mobile user: you don’t hop on every untrusted WiFi AP you see, you don’t tap on suspicious links, and you don’t open attachments from unknown sources. All good advice, granted, but even if you’re doing everything in your power to avoid giving someone the opportunity to compromise your phone and your data, sometimes vulnerabilities still manage to slip through the cracks. This week Android users are learning of a critical one that threatens to hijack their phones with little or no user interaction required, thanks to a bug in MMS handling.
The attack embeds malicious code in an MMS message containing a media file. Android is set up to attempt to process the video before it’s played back (a system called Stagefright), and that’s the step where the vulnerability occurs, letting the payload execute arbitrary code on your device. If you’re using Hangouts as your MMS client, the effect is immediate: you don’t have do to anything at all, and if your phone receives one of these malicious MMS videos, it’s compromised. With Messenger, you may be a little safer, but the attack will still be triggered if you view the message – just opening it is enough, and you don’t even have to play the video.
While a fix has already been developed, a huge number of Android devices are affected, something like 95 percent of them. As a result, it’s going to take a while to get patches out to everyone, and older phones outside support cycles are likely to remain unpatched.