“Stagefright” Security Hole in Android

The security bug Stagefright is in the MMS system on Android phones. MMS is similar to SMS (Short Message Service) but for multi-media such as videos, sounds, and pictures. While it is an aging system, most Android devices are still set up to receive MMS messages and will process them automatically by default.

On newer Android devices (4.4, aka KitKat and 5.x, aka Lollipop), the default SMS/MMS apps are “Messaging” and “Hangouts” and the default configuration for these apps is to download MMS content in the background as soon as the messages arrive.

The bug allows shell code to take control of your device when an infected MMS message arrives. This type of attack is known as a Remote Code Execution. Zimperium, the security company that found the bug, claims that 950 million devices may be at risk.

Google has responded to the bug and has prepared patches, but it’s possible that not all carriers will immediately patch or announce the patch to their customers. In the meantime:

  • Ask your mobile carrier whether a patch is available.
  • If not, find out when you can expect it.
  • If your messaging app supports it, turn off “Automatically retrieve MMS messages.” (Messaging and Hangouts allows this.)
  • Consider blocking messages from unknown senders.

We will send further information as more is released.

Read the story in the news here.