“Stagefright” Bug Leaves Up to 950 Million Android Devices Vulnerable

By: Krista M. | Cyber Threat Intelligence Analyst, NJCCIC

In April of 2015, Joshua Drake, a mobile security researcher at Zimperium zLabs, discovered the largest Android vulnerability to date. The flaw, named “Stagefright” after the mobile platform’s media playback engine, critically affects 95% of all Android devices, or about 950 million mobile devices. Any mobile device running Android OS 2.2 or later is vulnerable, to include the following Android OS versions: Froyo, Gingerbread, Honeycomb, Ice Cream Sandwich, Jelly Bean, KitKat, and Lollipop.

What makes this vulnerability so unique and concerning is that it doesn’t require any user-interaction to execute. Unlike other attacks that require the victim to click on a malicious link or open an infected attachment, with Stagefright, the attacker could simply send the victim a specially-crafted text message and gain control of the receiver’s Android device. Although there is an extraordinarily large number of devices at risk, as of yet, there are no known reports of attackers actually exploiting this vulnerability in the wild.

So, how does it work?

An attacker creates a video file that contains a string of malicious code and then sends it via text message to the victim’s Android phone. The phone’s media playback engine automatically processes the malicious video before the text message is opened in order to reduce viewing lag-time. It’s during this process that the malicious code executes and the attacker is able to hijack the device, steal data, and control various functions and applications – perhaps most disturbingly, video and audio recording.

Fortunately, the researchers at Zimperium zLabs have already submitted patches to Google, the maker of Android, which they promptly applied internally. However, the external deployment of these patches to all Android devices will take much longer since it’s the device manufacturers who are ultimately responsible for securing their own products against this vulnerability. Android users can contact their device manufacturer or phone carrier to find out when they should expect to receive a patch. In the meantime, though, the NJCCIC recommends disabling the “Auto-Retrieve MMS” feature of Android messaging applications, preventing the automatic execution of malicious code sent via text messages. Instructions for how to disable this feature on Google Hangouts, Google Messenger, and the Android Messenger app can be found here. Also, if the device or messaging app includes this function, consider blocking messages from unknown senders.