Zimperium Mobile Security has uncovered a major vulnerability in the Android ecosphere that will effect 95% of all Android devices. Named "Stagefright," this vulnerability will allow a hacker total access to your phone and completely take it over, all with just a text. This vulnerability effects all android versions from 2.2 Froyo to the 5.1 Lollipop.
According to an NPR interview, Joshua Drake, a security researcher from Zimperium, it has to do with the initial processing of MMS text to the device. The simple explanation would be that someone writes an exploit for your phone and embeds it into a video that is then texted to you. Once you receive the message—not even open it—the vulnerability is triggered. Once you open the message, the exploit can run and it's too late.
The main culprit app that was discussed by Drake was Google Hangouts, one of the default messaging apps from Google. The issue with Hangouts is that it pre processes pictures and videos for the user, which means they don't need to be opened because they are already loaded. It can silently run without any interaction. Most other messaging apps, including the default messages, you would have to open the message and view it for an exploit to be ran.
... OK, that's the bad stuff ... now, the good.
Zimperium has already been in contact with Google about the exploit. They have even created a patch for it. They have been in talks since May. Zimperium has already received confirmation from Google that they have accepted all the patches that they sent them. Google has already passed on these patches to the OEM manufacturers for them to ready a patch. Help is on the way.
... yeah, more bad stuff ...
As anyone with an Android phone knows, the problem with Android is that there is not a way to directly patch, a la iPhone, and because of this these patches could take months, if they come at all. Google started the ball rolling, but it has to go through the OEMs to look at it to make sure it won't brick a phone. Then it gets passed to the carriers to make sure that it doesn't mess with the network. Some phones may be deemed too obsolete to patch, even though they are still out there. Some manufacturers are in the process of working it out, some haven't commented yet. Luckily, there are no current malware apps that are out exploiting this vulnerability ... but Zimperium is also presenting on August 6th at Black Hat USA and at DEFCON 23 on August 7th.
So what can we do about this? Well hold on to your butts, kids. This isn't really the end of the world. Scary, sure, but with a little protection and sense, it will be all okay. It's like "the world's worst cold is spreading, how do we protect ourselves?" Here's some hints:
- Don't panic just breathe. Zimperium has said that they have not seen any exploits currently out there using this vulnerability.
- Be vigilant. Don't receive texts from random numbers unless you are expecting them (new friend, new cell, etc.)
- Turn off "auto-retrieve." Most messaging apps have the ability to turn off auto-retrieve MMS, if so turn yours off. This will help but not cure it. But this way your messenger won't pre process everything. It will be a nuance when you have to hit the "Download" button to receive anything MMS, including group texts, but if your worried it will help.
- Don't use Hangouts as your default messenger until you get the "all clear" from Google. The pre-processing is the main issue here. It's one of the features in Hangouts when talking about the speed in which is runs. If you use it as your default messaging app and someone you don't know texts you, then its game over without you even playing. This is a system level issue so it may take more than an update to fix that.
Are you concerned? Let us know below!