Android Has Stagefright and Your Device Probably Does Too

Android bug stagefright

Android Security Suite Stagefright Detector

Learn all about the Android security bug known as “Stagefright”. What it is, how to know if you have it, and how to protect your device.

What’s more shocking? That 75% of people are afraid to speak in front of a crowd or that 95% of all Android devices are vulnerable to malicious attack? Probably depends on the type of smartphone you own.
In total, 900 million Android devices released over the last five years have a defect in their operating system nicknamed “Stagefright.” So far, the Stagefright vulnerability has not been exploited by hackers, but it still remains a problem with the potential to cause widespread mayhem. Here is what Android owners need to know about Stagefright, how to tell if your device has Stagefright, and what you can do to protect yourself from attack.

What is “Stagefright”?

“Stagefright” refers to a software bug within a native Android video player called Stagefright, hence the name. Theoretically, the bug could be used by a hacker to steal private information from an Android device by sending a text message with a worm embedded in a video file. There are two different ways that a vulnerable phone can be attacked through this bug: 1) via text message with embedded video files or 2) by viewing web videos.

1. Most messaging apps like Google Hangouts and the default Android messaging app automatically download received video messages so that the videos are ready to view immediately when the user opens them. Once inside of a phone, that phone could be used to send the worm onto the phone’s contacts, further spreading the problem.

2. In similar fashion, viewing a video on the internet could leave a compromised phone at risk. A video file with a worm could exploit the Stagefright vulnerability through your web browsing app because Android uses the same Stagefright mechanism to process online videos.

The scary thing is that in both cases a phone can be breached remotely and secretively, without the owner even knowing.

Where Did Stagefright Come From?

Joshua Drake of Zimperium cyber-security originally found the Stagefight exploit in April 2015. He gave his findings to Google and the company made revisions to their code to fix the problem. However, more bugs were found and on July 27th the Stagefright bug was publically disclosed.

Android Security Suite

Will it be Patched?

Since the announcement, Android device manufacturers have been working on updates to patch the issue. However, these updates require the cooperation of Google (developers of Android), manufacturers who make the devices (Samsung, Sony, LG, etc.) and the mobile carriers who serve the devices (Sprint, T-mobile, AT&T, etc). All the red tape has made Android security updates particularly sluggish and in most cases, non-existent.

How Can I Tell If My Device Has Stagefright?

If you are an Android user, the numbers are not in your favor. 900 million or, 95% of worldwide Android devices contain the Stagefright bug in their OS. The chances are good that if you are running Froyo 2.2, Lollipop 5.1.1, or anything in between you are at risk of attack.
To be sure, there are multiple Stagefright detection apps that can be used to see if a phone does indeed have “Stagefright.” They are:

Android Security Suite Stagefright detector
The Zimperium Stagefright Detector and
The Lookout Mobile Stagefright Detector

How to Protect Yourself

The news isn’t all bad when it comes to Stagefright. According to Adrian Ludwig, the head of Android security, “90 percent of Android devices have a technology called ASLR enabled, which protects users from the issue.” (ASLR is a security measure that makes hacking more difficult by randomizing information.)
Anyone with a compromised device can take steps to protect themselves from infection. The best way to do so is by disabling the auto-download function of your text messaging apps. In most messaging apps, the basic steps are to: Open the app, tap the main menu, select settings, go to SMS or MMS, and deselect the automatic download function.
In any case, never open a video message from an unknown number and be wary of suspicious messages from friend’s phones. Hopefully, the bug will be resolved before a catastrophe, but you never know. Stagefright isn’t limited to humans anymore. Your Android probably has it.

The Dark Side of Social Media

Our brains are hard-wired to believe. We take in information literally and then evaluate it against our knowledge to decide whether or not it is true. For a moment, no matter how brief, humans will believe anything that they are told. This belief is compounded if the source of the information is someone that we know, trust, or respect.

Consider the famous Nigerian Prince Scam, a simple, fraudulent e-mail that promises a future cash reward in exchange for a small advance payment. Of course, the scam is ridiculous but, according to historians a version of the scam has been used by con artists for over 200 years. Now, social media has opened up a whole new industry for cyber-criminals and while e-mail spam is decreasing in frequency, social media is ripe with scammers looking to make a quick buck.

Social Media Affiliate Programs

social media scams

Through affiliate programs, scammers can trick you into participating in a survey and/or signing up for a premium service. In this way, scammers collect your info and make money.

All scams have one thing in common, the goal is to make money and social media scams are no different. Most commonly, social media fraudsters monetize their efforts through participation in affiliate programs. These are incentive programs in which companies pay “affiliates” for driving traffic to their website. For instance, some unsuspecting person sees an ad for a free $1,000 gift card if they will only enter their e-mail address. When they enter their e-mail address and click submit, they have earned a referral fee for a criminal. They will never see the gift card because it never existed. It was only a ploy to get personal information.

Common Social Media Scams

Facebook, Instagram, Twitter and all other social media platforms have changed the way people interact socially and professionally. We crave likes, comments, and re-tweets like a pregnant woman craves pickles and ice cream. We are able to follow our best friends and favorite celebrities and interact with them on a daily basis. All of these benefits are noticed by scammers who use them to their advantage when designing their schemes.

Facebook scam

Manual sharing plots are the most common and rely on social media users to spread. Usually, scammers will embed links to an affiliate site or malware inside of videos, pictures, or fake offers meant to entice people into unknowingly sharing the links with their friends. Fake offering scams are related and request social media users to join fake groups or events and share personal information in exchange for a free gift. Together, manual sharing and fake offering scams made up 93% of social media threats.

Phishing

Another type of cyber-fraud, phishing is the collection of personal information for the purposes of moneymaking. In regards to social media, phishing links are almost always hidden behind a hook (pun intended) such as a shocking news story or outlandish celebrity scandal. Once a user clicks on the link, they will be taken to a phishing site where they will be asked to login before they can proceed. Criminals will take the login information and hack other accounts for which the user has the same password (Apple ID, Bank Accounts, E-mail, Cloud Storage, etc.)

What is phishing

How to Protect Yourself

Knowledge and preparation are the two most important defenses against social media scams. While on social media, watch out for sensationalized stories, wild celebrity news, and offers for free money. Instead of clicking on links within social media, search for the stories on reputable news sites to see if they are legitimate. Also, never fill out a form unless you are certain the transaction is secure. Cyber-criminals are very creative and can use just about any personal information against you to make money for themselves.

Android Antivirus

Android Security Suite

In terms of preparation, one of the best investments a social media user can make is an antivirus app that can recognize threats. Apps like Android Security Suite that offers 24/7 real-time protection provides the most comprehensive protection and download directly to your device. Good antimalware will scan and detect malicious websites, phishing sites, and viruses to protect your device and your personal information from falling into the wrong hands.

Deceitful: hackers who exploit webcams to spy on you!

Mobile Cloud Labs

Photo by anieto2k. Flickr


Hackers sneak into your webcam more often than you think as a method to watch internet surfers without being noticed. To do this, you just need Internet access and a program that is silently installed on your computer.

Imagine being spied on by a hacker that has installed this software on your computer. Whenever you are connected to the Internet, the hacker can log in, see everything that happens on your screen and observe you through the camera. Of course, this intrusion occurs without you being aware of it.

Hackers can install Trojans or other viruses on your computer using your help unknowingly. Simple things like going to what appears to be a normal web page with nothing more than a harmless picture, can activate Trojans that will give access to files, passwords and every folder on your computer.

There are other programs that were originally created to repair and perform maintenance remotely by online support teams that can also be a problem. In the wrong hands, these programs have become espionage instruments that can be downloaded in special forums. This means that people don’t need to have great “hacker” skills, all they have to do is pay for these programs giving them the potential to use them against you.

Criminal organizations earn a lot of money by selling spyware programs. These organizations are very professional, well established and very successful. That’s why if you suspect you are being watched or that a hacker is manipulating your computer, follow these recommendations:

1. Immediately disconnect your computer from the Internet.
2. Clean your computer with an antivirus program.
3. Before opening any link, hover over to see if takes you to the desired page.
4. Do not open any files that you receive by strangers via email.
5. Place a sticky note, tape or Band-Aid on your camera to block all unwanted and prying eyes.

Always remain vigilant while on the Internet!

Tips to Prevent Online Christmas Scams

ugg_browser_extension
“All that glitters is not gold” and when it comes to online scams, Christmas shoppers must watch out for “too good to be true” bargains that could end up hurting their wallets.

According to research conducted in 2013 on behalf of FFA UK by ICM in the UK, online scams cost shoppers $15 million dollars. These people were victims of “vishing” a fraud method that attempts to get personal or financial information via telephone when fraudsters act as technical support agents or sales people.

With cyber Monday and the Christmas shopping season, cybercriminals are offering all kinds of products at very low prices. The website Get Safe Online published a list of the top five most risky items in which you can find Smartphones at the top, followed by game consoles, Ugg boots, Barbour jackets and iPads.

Remember, if it sounds too good to be true, it’s probably a scam or fake item.

Learn how to protect yourself when shopping online:

• If you get a call asking you to confirm a purchase, don’t reveal your bank account or shopping details since this is the way most fraudsters work. Just hang up and call your bank from a different phone to make sure everything is ok.
• Check your bank account regularly and make sure that your bank has your contact numbers so they can alert you if anything unusual or suspicious happens.
• Always make sure web URLs start with “https”, pay close attention to the “S” at the end. If the site doesn’t have the S nor the gold padlock icon, avoid shopping from that website.
• For banking or shopping, only use official online websites and mobile apps.
• Type the address of your bank or online shop directly into your browser. Never use a link from your email to go to your bank website nor should you open attached files that ask for personal information.
• If you own or are in the market for a new smartphone or tablet, protect it by downloading MyAntiTheft with MyAntiVirus and make sure it’s safeguarded with a PIN.
• In regards to online auctions and high value items, make sure you see the product before sending money. Use secure payment methods like PayPal instead of paying individual sellers.
• Once all your shopping or banking sessions are done and you followed this online safety guide, log out of the website or app. Also keep every purchase confirmation email.

Why Google is wrong and why mobile antivirus is needed

Android malware

“Mobile anti-virus is not needed”, says Google’s head of Android security. Speaking to journalists at the company’s Mountain View headquarters in California, Adrian Ludwig states that there’s no reason to install something in addition to the security that Google provides.

Nevertheless, fragmentation among the different manufacturers remains one of Androids security problems that Google is trying to tackle in the new versions of Android. Google claims that Android antivirus apps are pointless and just scams.

With the upcoming release of the Mobile Cloud Labs new Android Security Suite we couldn’t disagree more. Not all Android antivirus applications are equal though. Through both internal testing conducted at Mobile Cloud Labs and independent tests, we have shown just the opposite of what Google states.

In fact, we agree that Android is most definitely a secure system as it is built on top of Linux with several design features that add layers of protection. Google is right from the standpoint that a true “antivirus” may not be needed.

Viruses by definition are self-replicating and typically inject themselves into files and other executable applications, which without a rooted Android phone is extremely difficult to do on an Android device.

However, Antivirus companies label their products as “antivirus” because that is what people have learned to look for coming out of the Windows era. What is definitely possible with Android that most good “antivirus” apps protect against, are classifications of malware such as “Spyware”, “Ransomware”, “Trojans”, and “Scareware”. These types of applications can steal your information, cause unexpected behavior and slow down your mobile device.

Android malware is typically built into simple unsuspecting apps such as flashlight apps, battery apps etc. If you download a flashlight app for your Android device and it requires any special privileges (presented to you before download), this is the first sign of bad intention by the distributor and possible malware.

The team behind Mobile Cloud Labs knows this because they have written proof of concept applications internally in order to know what to look for and what to protect against in our upcoming Android Security Suite.

Google is correct in the fact that mobile antivirus is not needed. Where they stand corrected is that the majority of mobile antivirus apps on the market are actually protecting against other forms of malware not necessarily viruses. These apps are marketed that way because face it, when was the last time you searched for “anti malware”?