Learn all about the Android security bug known as “Stagefright”. What it is, how to know if you have it, and how to protect your device.
What’s more shocking? That 75% of people are afraid to speak in front of a crowd or that 95% of all Android devices are vulnerable to malicious attack? Probably depends on the type of smartphone you own.
In total, 900 million Android devices released over the last five years have a defect in their operating system nicknamed “Stagefright.” So far, the Stagefright vulnerability has not been exploited by hackers, but it still remains a problem with the potential to cause widespread mayhem. Here is what Android owners need to know about Stagefright, how to tell if your device has Stagefright, and what you can do to protect yourself from attack.
What is “Stagefright”?
“Stagefright” refers to a software bug within a native Android video player called Stagefright, hence the name. Theoretically, the bug could be used by a hacker to steal private information from an Android device by sending a text message with a worm embedded in a video file. There are two different ways that a vulnerable phone can be attacked through this bug: 1) via text message with embedded video files or 2) by viewing web videos.
1. Most messaging apps like Google Hangouts and the default Android messaging app automatically download received video messages so that the videos are ready to view immediately when the user opens them. Once inside of a phone, that phone could be used to send the worm onto the phone’s contacts, further spreading the problem.
2. In similar fashion, viewing a video on the internet could leave a compromised phone at risk. A video file with a worm could exploit the Stagefright vulnerability through your web browsing app because Android uses the same Stagefright mechanism to process online videos.
The scary thing is that in both cases a phone can be breached remotely and secretively, without the owner even knowing.
Where Did Stagefright Come From?
Joshua Drake of Zimperium cyber-security originally found the Stagefight exploit in April 2015. He gave his findings to Google and the company made revisions to their code to fix the problem. However, more bugs were found and on July 27th the Stagefright bug was publically disclosed.
Will it be Patched?
Since the announcement, Android device manufacturers have been working on updates to patch the issue. However, these updates require the cooperation of Google (developers of Android), manufacturers who make the devices (Samsung, Sony, LG, etc.) and the mobile carriers who serve the devices (Sprint, T-mobile, AT&T, etc). All the red tape has made Android security updates particularly sluggish and in most cases, non-existent.
How Can I Tell If My Device Has Stagefright?
If you are an Android user, the numbers are not in your favor. 900 million or, 95% of worldwide Android devices contain the Stagefright bug in their OS. The chances are good that if you are running Froyo 2.2, Lollipop 5.1.1, or anything in between you are at risk of attack.
To be sure, there are multiple Stagefright detection apps that can be used to see if a phone does indeed have “Stagefright.” They are:
How to Protect Yourself
The news isn’t all bad when it comes to Stagefright. According to Adrian Ludwig, the head of Android security, “90 percent of Android devices have a technology called ASLR enabled, which protects users from the issue.” (ASLR is a security measure that makes hacking more difficult by randomizing information.)
Anyone with a compromised device can take steps to protect themselves from infection. The best way to do so is by disabling the auto-download function of your text messaging apps. In most messaging apps, the basic steps are to: Open the app, tap the main menu, select settings, go to SMS or MMS, and deselect the automatic download function.
In any case, never open a video message from an unknown number and be wary of suspicious messages from friend’s phones. Hopefully, the bug will be resolved before a catastrophe, but you never know. Stagefright isn’t limited to humans anymore. Your Android probably has it.