Yesterday, security researchers discovered a critical flaw that affects almost all Android phones, that’s about one billion smartphones worldwide if you want to quantify. The scary part is that attackers only need to know your phone number in order to take over your device! There’s a good chance, rather it’s almost certain that your device is also vulnerable. Don’t panic, though, this post is about how you can easily guard your phone against this Stagefright bug, but a bit of background first.
It works by exploiting a security hole in Stagefright library, which is used by Android OS to render incoming videos embedded within an MMS. Thus, attackers can remotely send a specially-crafted MMS to your number, and upon retrieval, a malicious code embedded in it can silently become a part of your phone. Heck, it can even stealthily remove any traces of the received MMS and much more.
First one will disable the transmission of any sort of MMS, the second involves stopping your messaging app from automatically downloading/retrieving incoming MMS, as that’s when the code gets executed.
Disable sending/receiving of all MMS messages:
- Open Settings > More > Mobile Networks. You will get to the first screen above.
- Tap “Access Point Names”.
- Choose the APN which handles your MMS settings
- At the details screen, tap APN to change the value of APN to any random string. Don’t forget to write down the existing value, as you’ll need it to restore MMS functionality
I recommend this method if you don’t use MMS messaging and are not expecting any incoming MMS either.
Disable auto-retrieve in your Messaging app:
The exact steps depend on the messaging app that you’re using. Here are the screenshots of Hangouts and Messenger (messaging client in Lollipop) app:
- Go to Settings > Advanced and disable auto-retrieve
- Slide the drawer
- Go to Settings > SMS > and ‘uncheck Auto Retrieve MMS’.
Apply updates from your phone manufacturer
Note that the above fixes are temporary solutions. For a permanent fix, contact your phone manufacturer, see if they have any update on offer and how you can apply it. For rooted phones, the consequences can be particularly severe if a successful exploitation occurs.
This bug is not in the wild yet, that is, there are no reports of it being exploited at a mass scale, partly because the researchers who discovered it haven’t released a proof-of-concept yet.
They’re going to present it at Black Hat USA on August 5th though, and there’s a possibility of attacks emerging after that so apply the fixes or updates as soon as possible!