Android users, beware Stagefright – ‘worst-ever’ vulnerability
By Digital News Asia August 7, 2015
- Fortinet describes it as ‘worst ever vulnerability’ to date
- 95% of all Android devices at risk, Firefox browser also at risk
FORTINET has warned users that a critical vulnerability found in the Android operating system could allow hackers to gain access to their mobile devices with a single multimedia message (MMS).
Described as “one of the worst ever Android vulnerabilities discovered to date,” Stagefright allows a phone hack just by receiving a malicious MMS.
What’s most alarming is that the victim does not even need to open the message or watch the video to activate it, Fortinet said in a statement.
Stagefright can attack any Android smartphone, tablet, or other device running Android 2.2 or higher.
“This puts 95% of Android devices at risk of being hijacked. The vulnerability is considered particularly serious since it can be exploited without any user interaction,” said Ruchna Nigam (pic), security researcher at Fortinet’s FortiGuard Labs.
“Other exploits and malware for Android phones typically require some sort of user interaction such as installing an application, clicking a link, or opening an MMS.
“What’s even worse [with Stagefright] is that the received message can also be deleted, leaving no trace of an attempted attack on the victim’s phone,” she added.
Nigam said the security hijack works by taking advantage of Android’s built-in media library that processes several popular media formats. A malicious media file can be specially crafted and delivered to a user’s mobile phone via MMS.
Upon receiving the ‘message,’ the application responsible for handling such messages displays a preview of the received message in the Notifications Shade. An effective exploit would result in the vulnerable code being triggered on the phone.
“All an attacker needs is the victim’s phone number to get the ‘Stagefright’ exploit to work. Devices running unpatched Android versions earlier than 4.1 ‘Jelly Bean’ have been deemed the most at risk due to inadequate exploit mitigations,” Nigam said.
This vulnerability also affects Mozilla Firefox – which makes use of the same library on all platforms except Linux. It has been patched in Firefox version 38 and users are advised to upgrade their browsers.
Fortinet advises smartphone users to take the following precautionary measures:
1) Disable auto-downloading of MMS messages in apps used to handle such messages, such as your default Android Messaging application, Google Hangouts or any other application you may use to receive/ manage phone messages.
2) Update Android-based phone OS. Patches for some popular OS versions are either being rolled out or have already been made available (CyanogenMod & Blackphone).
- Patched in CyanogenMod versions 12.0 & 12.1 nightly: https://plus.google.com/+CyanogenMod/posts/7iuX21Tz7n8
- Patched in BlackPhones with PrivatOS version 1.1.7
- Updates for Google Nexus phones will be rolled out starting this week.
It’s a BYOT (bring your own trouble) world: Fortinet report
The world’s first mobile malware celebrates its 10th birthday
Android ‘Master Key’ vulnerability affects 99% of devices
Market dominance of Android comes at a price: Trend Micro
For more technology news and the latest updates, follow us on Twitter, LinkedIn or Like us on Facebook.