Android Stagefright bug can be exploited remotely with just a malicious MMS message. All android version starting from Android 2.2 (Froyo) to latest Android lollipop 5.0 are effected by this bug, Upcoming Android M is secure from this vulnerability. Apart from MMS attack, this bug can also be exploited by MP4 videos embedded in web pages or apps to compromise your android devices.
Discovery of Stagefright bug ?
The Stagefright bug was discovered by Joshua Drake senior member of Zimperium zLabs. Google was informed about the discovered vulnerabilities by the Joshua in April 2015, then bug was publicly announced on July 27, 2015 for the Black Hat USA computer security conference on August 5, 2015, and for the DEFCON 23 hacker convention on August 7, 2015. The bug has been provided with multiple CVE identifiers, which are collectively referred to as the Stagefright bug.
Level of access or privileges Stagefright bug provide to the hacker ?
In major cases and affected device can be attacked with any type of user interaction, rest can be exploited by just viewing a MMS.
If the attacker has successfully exploited the vulnerabilities he can virtually able to take full control of your device, and preform various tasks like listening you conversations, taking control of devices camera, starting video recording.
Apart from these elevated privileges, remote code execution allows sophisticated attackers to execute “privilege escalation” attacks, which allow the attacker to change “roles” on the device – providing unfettered control: access to read the victim’s emails, facebook, whatsapp messages and contacts, access data from other applications or use the device as a pivot into the customers network and cloud applications.
Check you device for Stagefright bug.
As majority of android devices are effected by this nasty bug, it is unlikely that your device is not affected. Still, if you want to be 100% sure about it you can install Stagefright Detector App from Google Play. The app is released by the same company Zimperium, which has discovered this vulnerabilities. It will check your device and tell you whether Stagefright has been patched on your Android phone or not.
How to protect your device from Stagefright Vulnerability ?
After public disclosure of vulnerability few android variants have been patched against the bug like nightly release of the CynogenMod 12.0 & 12.1 Blackphone’s PrivatOS. You can manually install CynogenMod on your devices to get rid of this bug.
Steps you can take to protect your device before a patch arrives.
1. Manually install CyanogenMod on your android device.
2. Disable Auto-fetching of MMS :- you have to disable this option for all your messaging apps, including hangout.
Timeline for Stagefright Patch ?
As android ecosystem is largely fragmented and customized security patches or update take a long time to be delivered. Google has released updates for it Nexus line of phones and tablets, including Nexus 4, Nexus 5, Nexus 6, Nexus 7 (2013), Nexus 9 & Nexus 10. Nexus 7 (2012) will unfortunately not be patched as it is no longer supported.
- Samsung: The Galaxy S3, S4, and Note 4, in addition to the phones above.
- HTC: The One M7, One M8, and One M9.
- LG: The G2, G3, and G4.
- Sony: The Xperia Z2, Z3, Z4, and Z3 Compact.
- Android One devices supported by Google
Keeping in mind severity of this critical update major android phone manufactures are committing themselves for prompt security updates atleast for their flagship phones. They will be releasing security updates atleast once a month.
Finally, if you have detected using the Stagefright Detector App that your device is affected with this vulnerability you should take all the preventive measures detailed above till a security patch is released by your phone manufacturer. Till then keep a close eye on files being send to you from and unknown sender.