In the past, people who end up getting malware or virus’ usually got it from opening suspicious files from strangers, browsing a questionable website, or partaking in illegal movie or music downloading. However, with the new Android security vulnerability released last week called Stagefright, it looks like some 950 million Android devices are at risk to getting hacked without them having to do anything.
So, back on July 21st, a mobile security firm, by the name of Zimperium, announced that they found one of the worst Android vulnerability in mobile OS history whereby you could be sent malware hidden as a video file via a text message to your phone or tablet and so just the act of your device receiving this video text message would essentially compromise and hack into your device giving the attacker control over your phone or tablet.
To make matters worse, Trend Micro (one of the more popular anti-virus companies) figured out how to trigger this vulnerability even without sending a malicious multimedia text message. They were able to trigger this exploit by crafting a specially designed webpage so if anyone with an Android device viewed the page they could also get hacked into essentially allowing the hacker to control and steal all of someone’s personal data on that device.
And so it looks like all Android devices starting from version 2.2 (which was back in 2010) up to the current version 5.1.1 are vulnerable. That’s works out to about 950 million devices world-wide. So I would definitely classify it as ‘The Mother of All Android Vulnerabilities’ for sure.
Zimperium, apparently alerted Google in April and May, proposed patches, and Google accepted them. What we don’t know is whether the fix has been pushed out to anyone’s phone since additional patches will have to be applied by the manufactures and phone carriers.
And so, herein lies the greater problem. This exploit really highlights the difficulties of getting Android devices updates pushed out to all users in a timely fashion because fixes and patches have to go though Google, the creator of the Android operating system, then the manufacturer of the device and finally through the carrier or the service provider. And so, depending on where you are in the world and what brand of device you own, it could take months or years to receive the patch, if they ever do at all.
Mobile phone manufacturers, in conjunction with wireless service providers frequently modify the Android operating system however they like before putting it on a device to sell. As a result, a security patch has to be specially adapted (or at least vetted) by the phone manufacturer and carrier before it can be sent out to someone’s device. And so unfortunately, the older and cheaper phones tend to run older versions of the Android operating system, which means that vendors and carriers often give up supporting or updating the software running on them which leaves those older models vulnerable. On the other hand, newer and more expensive phones tend to receive updates faster and more reliably (especially Google Nexus devices they probably have already received updates for stagefright directly from the Google Play store). This results in a situation called fragmentation, and it is why some Android phones get timely updates while others are left out in the dark.
Fortunately there are some steps users can take to protect themselves from this vulnerability. The best ways to protect yourself are to disable MMS messaging in your android device and make sure you install the latest updates for your phone. The steps needed to disable MMS messaging will really vary and ultimately depend on which software version you are using. Also, if you have any other texting apps installed you might want to disable MMS messages or disable the auto-retrieval of any audio or video messages, if at all possible.
This flaw affects a lot of people and strikes at the heart of Android’s fragmentation problems of getting timely updates out to all of it’s users where the bottleneck seems to come from the manufactures of the phone and then the carriers. Google has already fixed the bug and pushed it out to it’s Nexus devices, but for anyone else who has an Android phone , right now it’s unknown when the carriers and manufactures will have their patch ready. Hopefully sooner rather than later.
