Protecting Yourself Against the Latest Android Vulnerabilty

Quite possibly the worst vulnerability to ever be discovered in the Android ecosystem was recently announced.  Known as Stagefright, the vulnerability was found in a key component responsible for media playback on Android devices.  The vulnerability allows an attacker to compromise an Android devices simply by sending the device an MMS message or tricking a user into opening a malicious video file via a vulnerable application that uses the Stagefright component. In an estimated 50% of the affected devices, the victim does not even have to open the MMS or the video for the device to be compromised.

Once the device is compromised, the attacker can then execute custom code on the device and possibly access all the device's contents including photos, contacts, documents, and take pictures using the camera or turn on the mic and eavesdrop on the victim. The attacker can then access the device at any time.  The attacker can also then use the device to access the contact list and forward the malicious video file using MMS (or any other means) to the contact list, thus propagating the attack exponentially, leveraging your contacts' trust to further his attack.

The severity of the attack will depend on the Android version the device is running (as older versions ran the media library as an elevated user).

What can you do to protect yourself?

There are a number of things you can do to protect yourself:

• Disable auto-downloading of MMS (instructions on how to do so can be found here: https://www.twilio.com/blog/2015/07/how-to-protect-your-android-device-from-stagefright-exploit.html)
• Practice “safe” internet, email and IM techniques (don’t open links or IM messages from unknown sources or contacts) as malicious videos that exploit this vulnerability.  Don’t open strange files from known contacts as well.
• Be on the lookout for updates to the applications you have install and regularly install these updates.  Unfortunately, although this is rarely mentioned, this might be one of the most useful ways to protect yourself as application developers are releasing patches to protect against Stagefright.  For example, Firefox released version 38 of it’s browser to address this vulnerability.  You can switch to using Firefox as your primary browser until it receives a patch to protect against this vulnerabilty.
• Install OS updates as soon as they are made available.  This is the ideal solution but unfortunately, due to the fragmentation the Android ecosystem and slow response time by many vendors, this may be months away and some devices may never get this update.

Technical Details

For those interested, TrendMicro recently released details on the exact name of the vulnerability.  The vulnerability lies in how the mediaserver component of Stagefright parses malformed MP4 files.  More details can be found here:(http://blog.trendmicro.com/trendlabs-security-intelligence/mms-not-the-only-attack-vector-for-stagefright/).  Combined with the recent public release of the source code of RCSAndroid (Hacking Team’s Remote Access Trojan), the combination of the two can be exceptionally damaging to Android users.