​Stagefright: Just how scary is it for Android users?

If your smartphone or tablet vendor doesn't fix the Stagefright security hole, this text-message based malware can be really scary. But you can protect yourself from it with a few simple steps.
Written by Steven Vaughan-Nichols, Senior Contributing Editor

Frankly most people who get malware are asking for trouble. They open a suspicious file from a stranger, go to a skanky website, or download the movie or game that came out yesterday from BitTorrent. Then, there's Stagefright. With malware based on this security hole all you need to do is to get a text on your unpatched Android device, and, bang, you're hacked.

Android's Stagefright security hole is scary, but you can avoid it.
Stagefright can attack any Android smartphone, tablet, or other device running Android 2.2 or higher. In short, of the approximately 1-billion Android gadgets out there, Stagefright could, in theory, hit 95 percent of them.

Can you say bad news? I knew you could.

Zimperium zLabs VP of Platform Research and Exploitation, Joshua J. Drake, who uncovered Stagefright claims that it's among the "worst Android vulnerabilities discovered to date." He's got a point.

Stagefright holds up your device by being sent to you as a multimedia text message. For example, a short video of kittens playing could be used to put malware on your system.

The really sneaky part is you don't need to watch the playful cats. If you're using Google's Hangouts app, you don't even need to open your text message app. All the attacker needs to do is send a poisoned package to your phone number. It then opens up your device, and the attack starts. This can happen so fast that by the time your phone alerts you that a message has arrived, you've already been hacked. If, on the other hand, you're using Android's standard Messenger app you must open the text message -- but not necessarily watch the video -- to get hacked.

This security hijack works by taking advantage of Android's built-in Stagefright media library. This media playback engine comes with software-based codecs for several popular media formats and is used for audio and video playback. Its security hole appears to be that to reduce video viewing lag time Stagefright automatically processes the video before you even think about watching it. Drake will reveal the full details of how Stagefright works at Black Hat in early August.

In the meantime, Zimperium informed Google of the problem in April. According to Drakem "Google acted promptly and applied the patches to internal code branches within 48 hours."

A Google spokesperson added in an e-mail response that, "The security of Android users is extremely important to us, so we've already responded quickly to this issue by sending the fix for all Android devices to our partners."

She added:

  • Security is baked into Android: Android applications run in what we call an "Application Sandbox." Just like the walls of a sandbox keep the sand from getting out, each application is housed within a virtual "sandbox" to keep it from accessing anything outside itself, meaning that even if a user were to accidentally install a piece of malware, it's forbidden from accessing other parts of the device.
  • The open ecosystem improves security and makes Android stronger: Android is open source. This means anyone can review it to understand how it works and to identify potential security risks. Anyone can conduct research and also make contributions to improve Android security.
  • Google encourages security research: The Android Security Rewards Program, launched in 2015, and Google Patch Rewards program, launched in 2014, rewards the contributions of security researchers who invest their time and effort in helping make Android more secure.

So, with all this, what's the fuss about? Yes, it's really a bad security hole, but the fix is in... isn't it?

Uh, well about that, you see Android has another bigger security problem. With the exception of the Nexus devices, Google provides the Android source code patches, but it's up to the smartphone carriers and original equipment manufacturers (OEM)s to send it to users with updated firmware. As of July 27th, none of the major Android OEMs or carriers have announced plans to deliver the patch. With many older devices, patches may never be delivered.

According to Zimperium, SilentCircle's Blackphone has been protected against this attack since the PrivatOS version 1.1.7. Mozilla's Firefox has also included a fix for this issue since version 38. And, of course, Zimperium offers its own protection from Stagefright attacks with its mobile threat defense platform, zIPS,

What Zimperium doesn't mention is that Android already has an excellent way of blocking most Stagefright assaults: Block all text messages from unknown senders.

To do this with Android Kitkat, the most popular Android version, you open the Messenger app and tap on the menu at the top right corner of the screen (the three vertical dots) and then tap on Settings. Once there, select Block Unknown Senders, and you're done.

On Lollipop, where Hangouts is the default messaging app, there's no default way to block unknown senders. You can, however, under Settings go to Multimedia messages and turn off Auto Retrieve for multimedia messages.

With Lollipop, and other versions of Android, I recommend turning to third party SMS blocker apps. For Android 2.3 to 4.3, I like Call and SMS Easy Blocker. If you're using KitKat or above, where only one texting app can be active at a time, I like Postman, aka TEXT BLOCKER. This program works in conjunction with your favorite texting application to block unknown senders.

This isn't perfect. A friend could always get infected and spread malware, but it's a good start.

The short-term fix will be when the carriers and OEMs get off their duffs and push the fix to us. Considering their track record, I'm not going to be holding my breath and I am going to be blocking multimedia texts. The long-term solution will be when Android-using companies start working with Google to deliver important security patches as soon as possible all the time.

Related Stories:

Editorial standards