A day ago, a vulnerability was disclosed for Android phones performing a remote code execution over MMS. The vulnerability, named Stagefright after Android’s built-in stagefright media library, occurs when your Android device, upon receiving an MMS, starts processing it in the background, so you have seamless experience when you actually open it up. This processing is done automatically and without any user action performed. Apart from the incoming MMS notification, you may never know if your device was accessed by a malicious user or not.
Joshua Drake, the security researcher who reported the bug believes
All [Android] devices should be assumed to be vulnerable,
Only Android phones below version 2.2 are not affected.
Zimperium zLabs, the mobile security firm Drake is a VP of, notified Google of the vulnerability and according to Drake,
Google acted promptly and applied the patches to internal code branches within 48 hours.
Upon reaching a Google spokesperson, she’d responded with an email that,
The security of Android users is extremely important to us, so we’ve already responded quickly to this issue by sending the fix for all Android devices to our partners.
Although it is to be noted that security is baked deep into Android and that the OS uses a sandbox environment which runs apps, processes, and services, in their own separate areas of sort. Coupled with SELinux enforce enabled by default, apps outside the sandbox can’t have access to data of other apps, processes, and services. According to Google vulnerability report, only 0.15% malware exist in Android. For more details on how security works in Android, read a detailed post by Android Authority and first-hand information about security on Android about the platform’s Lead Security Engineer, Adrian Ludwig.
Even though Google applied the patches to the Android Open Source Project, we all know how terrible OEMs are about distributing updates to their users. I’m not going to assume this vulnerability is going to change anything with OS updates on OEM devices hence a solution unless you decide to toss out your current phone and go Nexus.
How to protect from the vulnerability?
I’m going to demo how to do that on Google Hangout, the default SMS application on many Android devices and Messenger, another famous SMS application by Google.
Open app, go to Settings, and choose Advanced.
From there, unselect Auto-retrieve and you’re done.
If you’re like me and use Google Hangouts, you can easily turn it off, too.
Just slide from the left to view navigation drawer, from there choose Settings.
From settings, go into SMS.
And then unselect Auto-retrieve MMS.
If you use any other app, the option must be there to turn off automatically downloading MMS content. On principal, you shouldn’t open any MMS message you receive even if it is from a friend. If you still need help in finding it, just drop a comment and I will look into it.
Passionately a software developer, Basit Saeed considers himself a person who believes in software and social media being the change agents of 21st century. He is a techy, a gadgets freak, and loves playing with code whenever he can. He tweets at @basit_saeed.