Stagefright: 99% of Android phones vulnerable while "owner is asleep"

Jul 31, 2015

By Samuel Ingrey | 28 July 2015

Attackers are able to take over any device if they know phone number

"The scariest part is that a Stagefright attack does not require any action by the victim, meaning the flaw can be exploited remotely while a device owner is asleep." [1]

Joshua J. Drake, Zimperium zLabs

As of June 2015, 99% of Android users run version 2.2 or above [2] and Gartner’s analysis states over a billion Android devices shipped in 2014 alone [3].

A serious vulnerability has recently been discovered, by Joshua J. Drake Vice President of platform research and exploitation at Zimperium zLabs, in Android that could allow malware hidden inside a modified media file to be sent via MMS to your device knowing only your phone number. Typically, when the device receives the MMS containing the malware package it will automatically process the content of the file, infecting the device with no user interaction. The problem is both Google Messenger and the Hangouts application by default pre-process media content to make it available to the user very quickly; once infected the malware can then gain access to your camera, microphone and data, to name a few.

Right now I imagine that you’re asking the questions “am I vulnerable” and “what should I do”?

There are a number of measures that can be taken to minimise the risk of infection and detect the presence of malware that has already infected your device.

  1. You can disable MMS messages altogether.
  2. Recently released devices are likely to receive an OTA (Over The Air) update that fixes the problem, so keep an eye out for one.
  3. Set an alternative MMS application to be your default and be careful when viewing videos from unknown / untrusted senders. Some applications have the option to disable downloading of the message content by default; alternative applications include “Messaging” that is on the phone from the factory, or apps downloadable from Google Play store, e.g. Handcent Next SMS. It is possible to uninstall the Hangouts app completely.
  4. Prolonged use of the camera / microphone or other malware functions could have an adverse and noticeable effect on battery life and data usage, keep an eye on use.

Want to learn about the latest mobile application vulnerabilities and how to identify them?

Book your delegate place on: CMST Mobile Application Hacking: Hands-On





Android Robot sleeping