There was Heartbleed. Then there was Shellshock. Now there’s Stagefright.
In July, Joshua Drake, from Zimperium zLabs, looked deeply into Android’s source code, and what he ultimately found wasn’t too pretty. Drake revealed that by exploiting errors in that code, ill-intended individuals were able to remotely gain access to mobile devices — in many cases with device owners not even being aware of it.
So yes, Stagefright is a very serious security flaw. In fact, some folks are even going as far as to say that Stagefright is by far the most critical security flaw that’s been uncovered in Android to date. The flaw affects as many as 950 million smartphones.
Here’s how it works. By simply sending a code-laden MMS message to Android devices, hackers can gain access to someone’s mobile device. Drake revealed that there were multiple flaws in the code that hackers could exploit. In a worst-case scenario, a hacker could even send an unsuspecting user a message that they wouldn’t even see.
To clarify, many phishing attacks — like spear-phishing — require users to physically click a link or open a “PDF.” There’s none of that with Stagefright. An attacker simply sends the message, and all of a sudden your phone’s infected — and you may not even realize it.
So then you’d go about your day using your phone as you normally would, and some creepy guy would be out there somewhere in the world monitoring everything you do. That person would then have access to your contacts, your photos, your texts, your apps — everything. No bueno.
Google Responds Quickly—But That May Not Help You, Either
After Drake discovered Stagefright, he quickly set out to patch it up. Drake then submitted both the exploit and the patches to Google, and the company responded by updating Android’s code within 48 hours (It’s worth noting that Drake may have been paid as much as $40,000 by Google, as the company offers bounties to encourage programmers to uncover flaws.).
Problem solved, and crisis averted, right?
Not so fast. Because Google released Android as an open-source code base, device manufacturers are able to use it and tweak it to their precise specifications. The end result? A sea of fragmented devices — one that keeps growing bigger every day.
Apple, for example, only has to worry about its iOS working on a number of devices (iPhone 6, iPhone 5, iPad 2, iPhone 4s, etc.). So if and when flaws are uncovered, the company can quickly patch them then send out updates to all its devices.
That’s not the case with Android. According to recent figures, Kit Kit (Android 4.4) is the most popular version of the operating system in use today, with about 40 percent of phone owners using it.
The problem? It’s two iterations old, meaning that folks either aren’t updating their devices when they can, or phone manufacturers and developers haven’t made appropriate changes and pushed them out. In other words, though fixes to Stagefright are available, many users of older devices will have to wait a little bit longer for the patch to trickle down to their own devices.
An Easy Workaround
In the meantime, there’s an easy workaround. Open up your messaging app and make sure to deselect the Auto Retrieve feature (Settings > Multimedia Messages > Auto retrieve off). This will enable you to look at messages before viewing them, providing another line of defense against Stagefright.
In any case, Stagefright serves as yet another reminder of the dangers of the digital world. We’re increasingly relying on our devices — virtually our whole lives are on them. Since that’s the case, it’s important to be as proactive as possible in ensuring we keep intruders out of our digital worlds — the same way we keep them out of our homes.
If you’re worried about online security and privacy, a VPN for your mobile device may help. By harnessing the power of a virtual private network right from your mobile device, all of your traffic gets encrypted, meaning no third parties will be able to eavesdrop on what you’re doing — including your service provider.
When it comes to digital security and privacy, you can never be too cautious. But by staying educated and taking the right steps to protect yourself, there’s less chance you’ll find yourself with a compromised device.