Have you received an MMS message that you tried to open and nothing happened?
A flaw has been exposed deep inside the Android operating system. Nicknamed ‘Stagefright’, this vulnerability can allow hackers to infect your device via an MMS message.
To make it worse, you don’t even have to open the message; as soon as you receive it, the hackers may already have access to your private data, and even take control of your camera and other sensors, just by knowing your phone number.
Researchers at the US information security firm Zimperium discovered the bug in April. The flaw in the operating system has been present since Android 2.2 Froyo, which launched back in 2010, so up to 950 million devices worldwide could be affected, according to Zimperium.
In a statement, Google said: “This vulnerability was identified in a laboratory setting on older Android devices, and as far as we know, no-one has been affected.” However, given the sheer number of devices that are vulnerable, there is no way to say definitively that no one has been attacked via the Stagefright bug.
The bug is also public knowledge now, so even if it wasn’t before, it is now ready for exploitation.
In August, Google announced a security patch for the Stagefright bug, but millions of devices currently remain unprotected because manufacturers and mobile operators have to distribute updates to customers themselves, and not every customer updates their device regularly.
HOW STAGEFRIGHT WORKS
HACKER SENDS MMS
MMS messages resemble SMS but with videos, sounds and pictures, these used to be popular way back. However, while smartphone users now prefer to send images via apps like Whatsapp, Android devices can still receive MMS messages.
To attack your device, all a hacker has to do is send a video embedded with malicious code to your mobile number.
The Stagefright bug is named after the open source media library 95 per cent of Android devices use. The Stagefright library helps phones unpack multimedia content, but contains vulnerabilities hackers can exploit. To make it worse, your Android Phone processes videos automatically, so you don’t even have to open the MMS for the hacker to gain entry to your device.
OPEN TO ATTACK
Even if the hacker doesn’t gain instant control of your Android as soon as you receive the message, they will have lots of other chances. Just previewing the MMS message in your notification tray can leave you open to attack.
Viewing the MMS, touching the video in your Messenger app, or rotating the screen to view the video horizontally, also triggers the vulnerability over and over again
ACCESS TO YOUR PHONES DATA
Once inside you Android device, the hacker can access your phone’s data, photos, camera and microphone. If they’re smart, the hacker can even delete the bobby-trapped message from your phone before you even realise that your device has been compromised. The data they can access includes your contacts, so they can target your friends and families’ devices as well, continuing the cycle.
HOW TO SCAN FOR STAGEFRIGHT
If you are using a device that runs on Android, you may as well assume you’re at risk, and use one of the two apps we are recommending to scan for Stagefright.
Stagefright Detector App Free
Created by Zimperium, the organisation that discovered the Stagefright bug, this app will give you a list of CVEs (common vulnerabilities and exposures) that impact your phone. If the app says you’re vulnerable to Stagefright, it will also give you the option to contact Zimperium directly for advice.
Stagefright Detector Free
This Stagefright scanner has more of a polished finish than Zimperium’s app. Created by Lookout, the mobile antivirus and threat protection provider, their Detector does exactly the same job, but also includes additional details on how Stagefright works and steps you can take to protect yourself.
HERE IS WHAT ELSE YOU CAN DO TO PROTECT YOURSELF
Even though a security patch is the only way to fix the Stagefright bug, there are a few other defensive measures that you can take to protect your Android device from attack.
While you can’t stop your phone from receiving MMS messages, you can stop your phone from automatically downloading video and giving hackers easy access to your data.
In Google’s Android Messenger app, go to Settings > Advanced and toggle Auto-retrieve to Off.
In Hangouts, go to Settings > SMS and untick Auto retrieve MMS from the list of options.