A vulnerability which could allow an attacker to take control of any Android device that can receive text messages (phones, and some tablets with cellular service (AT&T, T-Mobile, Verizon, etc)) has been discovered. The vulnerability requires no interaction on behalf of the user, which would allow them to take control of the device, compromising any data stored on it. Combined with other vulnerabilities, this may also allow an attacker to compromise any accounts which are accessed by the device (email, Facebook, banking, etc).
This vulnerability is caused by Google Hangouts, and a flaw in the “Stagefright” media player component. Hangouts, when enabled, automatically processes media files in MMS (text) messages. If a malicious media file is sent to an Android device, Hangouts will read the attached media file, and Stagefright will execute the malicious code embedded.
Google has put out a patch for this flaw in its updates to supported versions of Android, but Google does not directly support most Android devices, which rely on their manufacturers for software support (e.g Samsung, HTC, LG, etc). Recent versions of the Nexus line of devices as well as “Google Play” variants of some phones which are directly supported by Google, devices running the Cyanogenmod version of Android (such as the Oppo OnePlus line), and the security based company, Silent Circle with their “Blackphone” product have already issued patches.
Threat Mitigation:
- To help secure your device and prevent the flaw from impacting you, you can disable automatic MMS processing in Google Hangouts by doing the following:
- Open Google Hangouts on your Android device
- Go to the menu, and click on Settings.
- Click “SMS” and scroll down until you see “Auto retrieve MMS.”
- If the box is checked, uncheck it, otherwise leave it unchecked. Once unchecked, you can close the settings window, and you should be safe from automated attacks
- If the item is greyed out but checked, then you will need to change your settings to briefly allow Hangouts to be your default SMS application.
- Go to the top of the Settings menu and locate “SMS disabled.” Click it, and allow it to become your default SMS handling application.
- Scroll back down, locate the “Auto retrieve MMS” option, and uncheck it.
- Now go back up, click to make Hangouts not be your default messaging application again (only do this if it was not your default application before).
- Scroll down in the menu presented and locate “Default messaging app.” Click it, then choose the application you were using before. You should typically only have two or three options on the list.
NOTE: Implementing this workaround does not patch the vulnerability. If you open a text message with a malicious media file and do not have the patch from Google installed, your system can still be compromised. As with emails from unknown sources, do not open text messages containing media files (attachments) from unknown numbers.
Technical Details:
The Stagefright exploit is a result of seven separate bugs in the media player component, which are
detailed in the following Google bug logs:
- CVE-2015-1538,
- CVE-2015-1539,
- CVE-2015-3824,
- CVE-2015-3826,
- CVE-2015-3827,
- CVE-2015-3828,
- CVE-2015-3829
For more details, you can visit Sophos Labs’ Naked Security blog here:
https://nakedsecurity.sophos.com/2015/07/28/the-stagefright-hole-in-android-what-you-need-to- know/