Stagefright is an exploit that affects the Android Operating System from versions 2.2 Froyo to the current Android Lollipop by allowing attackers remote access to your device. We will get to defending yourself against Stagefright later and note that you cannot actually remove the exploit but you can remove the risk of being attacked through it.
What can an Attacker do with he Stagefright software bug?
Basically the exploit can allow an attacker to access your Android device remotely and perform actions without your knowledge. This will allow privilege escalation and remote code execution by the atacker simply by do something as simple as sending an MMS message to a victim’s device. In fact a computer security researcher demonstrated proof of this by sending an MMS to a device that in most cases does not require the victim to do anything knowing nothing more than the unassuming persons phone number.
Why is the Starfright exploit in Android in the first place?
Simply put it is part of the AOSP or Android Open Source Project used as a backend engine to play multimedia files like mp4’s. You average person cannot take advantage of the exploit as a little deeper its a complex software library written in C++ that allows exploiting of certain integer overflow vulnerabilities in Android’s core.
How to defend against Stagefright?
There is only one thing you can do to keep from having an atacker remotely access your device using the exploit and that is turning off MMS auto-retrieval on your device. To do this follow the instructions below:
How to Disable MMS automatic message downloading?
First you need to figure out what app you are using for SMS messaging then you can disable it. You can find your default SMS app by going to “Settings -> Default applications -> Messages”. Once you have your default SMS app figured out you can scroll down and find the app you use.
Disable MMS auto-downloading in Hangouts
- Open Hangouts and tap the menu top left
- Tap settings and select SMS
- Scroll down and uncheck “Auto Retrieve MMS”
Disable MMS auto-downloading in Messages
- Open Messages and tap the menu top right
- Tap settings (GS6 users have to tap “More Settings) and select Multimedia Message (MMS)
- Uncheck “Auto Retrieve”
Disable MMS auto-downloading in Messaging
- Open Messaging and tap the menu bottom right
- Tap settings and scroll down and uncheck “Auto Retrieve”
Disable MMS auto-downloading in Messenger
- Open Messenger and tap the menu top right
- Tap settings and select Advanced
- Disable “Auto-retrieve” (or pre-fetch depending on version)
Disable MMS auto-downloading in Verizon Message+
- Open Verizon Message+ and tap the menu
- Tap settings and select Advanced
- Disable “Auto Retrieve”
If you use a different app for MMS then the ones above then please let us know in the comments below and if you know the process please go ahead and add that as well.
NOTE: This does not fix the exploit but limits the risk. Also keep in mind that these are general instructions for a majority of versions but does not cover every version of Hangouts, Messenger, Messages, etc.
How was the Starfright bug discovered?
Joshua Drake from Zimperium Security Firm found the exploit and publicly announced its presence on July 27th of this year. Before the bug was announced Drake privatly reported the bug to Google two months earlier in April. Reportedly Google released a patch that fixes the exploit within days of Drake letting them know it existed. This said if you are on a carrier specific device then you need to wait for them to release the update which depending on the age of your device may or may not ever come.
How to detect if you have been affected by Stagefright?
Recently Lokout Mobile Security sent out an email to users of their apps notifying users of the possibility of being affected stating the following:
Recently, a new security vulnerability that affects Android devices was discovered, called “Stagefright.” We take our promise of giving you peace of mind seriously, so we wanted to reach out to explain the risk and provide a few steps you can take to protect your Android device.
Then they state what the vulnerability is and then how to find out if you are affected by downloading their “Stagefright Detector” app from Google Play.
That said it will tell you if you are vulnerable but there isn’t much you can do until your carrier releases an update besides disabling MMS auto-retrieval on your device.