Major Android security vulnerability in Stagefright hijacks your phone via MMS

Say you consider yourself a pretty savvy, security-conscious mobile user: you don’t hop on every untrusted WiFi AP you see, you don’t tap on suspicious links, and you don’t open attachments from unknown sources. All good advice, granted, but even if you’re doing everything in your power to avoid giving someone the opportunity to compromise your phone and your data, sometimes vulnerabilities still manage to slip through the cracks. This week Android users are learning of a critical one that threatens to hijack their phones with little or no user interaction required, thanks to a bug in MMS handling.

The attack embeds malicious code in an MMS message containing a media file. Android is set up to attempt to process the video before it’s played back (a system called Stagefright), and that’s the step where the vulnerability occurs, letting the payload execute arbitrary code on your device. If you’re using Hangouts as your MMS client, the effect is immediate: you don’t have do to anything at all, and if your phone receives one of these malicious MMS videos, it’s compromised. With Messenger, you may be a little safer, but the attack will still be triggered if you view the message – just opening it is enough, and you don’t even have to play the video.

While a fix has already been developed, a huge number of Android devices are affected, something like 95 percent of them. As a result, it’s going to take a while to get patches out to everyone, and older phones outside support cycles are likely to remain unpatched.

Source: Zimperium
Via: NPR

Share This Post

Watch the Latest Pocketnow Videos

About The Author
Stephen Schenck
Stephen has been writing about electronics since 2008, which only serves to frustrate him that he waited so long to combine his love of gadgets and his degree in writing. In his spare time, he collects console and arcade game hardware, is a motorcycle enthusiast, and enjoys trapping blue crabs. Stephen's first mobile device was a 624 MHz Dell Axim X30, which he's convinced is still a viable platform. Stephen longs for a market where phones are sold independently of service, and bandwidth is cheap and plentiful; he's not holding his breath. In the meantime, he devours smartphone news and tries to sort out the juicy bits Read more about Stephen Schenck!