Many of you reading the headline may be unaware of what Stagefright is, no it is not being scared before performing or of speaking in front of a crowd, it is much more scary than that!
In July of this year Zimperium disclosed its discovery of a vast security floor in millions of android devices before discussing it in more depth at the BlackHat conference in early August. The exploit in its most basic form is that a video is sent via MMS (or it turns out played from the web or a download) could be theoretically used to attack your phone through the libStageFright mechanism which helps Android process video files.
This exploit only exists from Android 2.2 so if you have an ancient device then you’re safe but if you have something newer, like my Samsung Galaxy S6, then in all likelihood you are vulnerable. The main way this exploit is run is through auto retrieval of MMS messages so if you turn this off you will be safer than most.
There is no proof that this exploit has been used in the wild, but then again it can execute without the device owner even being notified as the MMS can automatically be deleted once entry is gained, this access can even be elevated to the Root level meaning that they have access to settings the average user would not have.
If your device is running Android 4.0 or above then Google has placed some protection which should be enough to keep you safe, in fact Google in July reiterated to Android Central that there are multiple mechanisms in place to protect users:
“We thank Joshua Drake for his contributions. The security of Android users is extremely important to us and so we responded quickly and patches have already been provided to partners that can be applied to any device.
Most Android devices, including all newer devices, have multiple technologies that are designed to make exploitation more difficult. Android devices also include an application sandbox designed to protect user data and other applications on the device.”
Google also said it’s updated its Hangouts and Messenger apps so that they don’t automatically process video messages in the background “so that media is not automatically passed to mediaserver process.” The bad news is that most of us are going to have to wait on the manufacturers and networks to push out system updates.
If you would like to find out if you are affected then download the ‘Zimperium Stagefright Detector’ and test your device.