We Should Probably Talk About Stagefright


As Android vulnerabilities go, this one’s pretty bad. In fact, it’s probably the worst security scare that the platform has ever seen—despite being only a theoretical vector for attack. At least for now.

“Stagefright” gets its name from libstagefright, an engine deep within the Android OS used to decode videos in MMS messages. What makes it so potentially scary is that it can be executed remotely on almost any Android device; it requires only the user’s phone number and grants the attacker root access and the ability to run arbitrary code.

So what can you do to protect yourself?

The first, and easiest, measure is to disable the auto-retrieval of MMS messages in your SMS app. Unfortunately, if you’re using Hangouts for SMS you won’t have that option in your settings, so you’ll have to take further measures. A good start is to download and run Zimperium Research Labs’ free Stagefright Detector. Zimperium is the company credited with discovering the expoit, and their app will scan your device for one of seven known Common Vulnerabilities and Exposures (CVEs). If you find that your device is vulnerable you should probably switch from Hangouts to another SMS solution. The recently open-sourced QKSMS and Google’s own Messenger are worthy options to consider.

If you’re running a custom ROM you might want to think about switching to CyanogenMod, at least temporarily. Nightly builds of CM12.1 have already been patched to protect against the Stagefright exploit. If you’re using the stock ROM on a Nexus or other flagship device there’s a good chance a patch for it has already been issued. In fact, it might be helpful for other forum members if you wanted to reply to this thread with your device, carrier and whether or not it’s been patched.

Finally, remember that this attack has yet to occur in the wild. There are some additional technicalities around the exploit that have yet to be proven possible. But better safe than sorry, right?

Further Reading:

Leave a Reply