Fortinet is warning Malaysian users that a critical vulnerability found in the Android operating system could allow hackers to gain access to their mobile devices with a single multimedia message.
Described as “one of the worst ever Android vulnerabilities discovered to date”, Stagefright allows phone hack just by receiving a malicious MMS. What’s most alarming is that the victim does not even need to open the message or watch the video to activate it. Stagefright can attack any Android smartphone, tablet, or other device running Android 2.2 or higher, the high performance network security company said.
“This puts 95 percent of Android devices at risk of being hijacked. The vulnerability is considered particularly serious since it can be exploited without any user interaction,” said Ruchna Nigam, Security Researcher at Fortinet’s FortiGuard Labs. “Other exploits and malware for Android phones typically require some sort of user interaction such as installing an application, clicking a link, or opening an MMS. What’s even worse is that the received message can also be deleted, leaving no trace of an attempted attack on the victim’s phone.”
Nigam explained that the security hijack works by taking advantage of Android’s built-in media library that processes several popular media formats. A malicious media file can be specially crafted and delivered to a user’s mobile phone via MMS. Upon receiving the ‘message’, the application responsible for handling such messages displays a preview of the received message in the Notifications Shade. An effective exploit would result in the vulnerable code being triggered on the phone.
“All an attacker needs is the victim’s phone number to get the ‘Stagefright’ exploit to work. Devices running unpatched Android versions earlier than 4.1 “Jelly Bean” have been deemed the most at risk due to inadequate exploit mitigations,” she cautioned.
Alarmingly, this vulnerability also affects Mozilla Firefox – which makes use of the same library on all platforms except Linux. It has been patched in Firefox version 38 and users are advised to upgrade their browsers.
Fortinet’s security experts advise Android smartphone users in Malaysia to take the following precautionary measures:
1. Disable auto-downloading of MMS messages in apps used to handle such messages, such as your default Android Messaging application, Google Hangouts or any other application you may use to receive/ manage phone messages.
2. Update Android-based phone OS. Patches for some popular OS versions are either being rolled out or have already been made available (CyanogenMod & Blackphone).
- Patched in CyanogenMod versions 12.0 & 12.1 nightly: https://plus.google.com/+CyanogenMod/posts/7iuX21Tz7n8
- Patched in BlackPhones with PrivatOS version 1.1.7
- Updates for Google Nexus phones are being rolled out.