On July 21st Mobile Security Firm Zimperium announced a vulnerability for Android. Potentially affecting nearly 1 billion Android devices, this is being referred to by some as the “Heartbleed of Android.” While this vulnerability is a huge risk, there are some simple things users can do to protect themselves.
Stagefright is an Android Vulnerability potentially affecting all Android phones running Android 2.2 “Froyo” and newer. The bug takes advantage of Android’s built in software named Stagefright. Stagefright is used by android to interpret Multimedia message service (MMS) Content.
All a bad guy needs to know is your phone number. The hacker can theoretically embed malware within a video file and send to an android user. The user does not have to accept or open the message for the exploit to run. Upon receipt of this message, the hacker can take complete control of the mobile device. They can delete any evidence of the message and copy data from the phone as they see fit.
Due to Android’s segmented environment, it is difficult to determine just how many smart phones are affected by this vulnerability. In the Android world, Google releases a patch to device manufactures, who then implement the patch and submit to the carriers (Verizon, AT&T, Sprint, Etc). The carrier must then approve the patch and release an Over-the-Air (OTA) update. In April of this year Zimperium alerted Google, who released a patch in May. What is unknown is which manufacturers and carriers have released this patch to users.
WHO SHOULD BE CONCERNED?
While everyone with an Android Phone running 2.2 or newer should be concerned, financial institutions who allow employees to use mobile devices to access company email or networks should be especially alert. If a hacker were to gain access to a company mobile device, the individual could access or steal all emails the employee has stored on the device, which could lead to potential breaches of confidential information.
HOW CAN YOU PROTECT YOURSELF?
While the extent of the patching is unknown, there are some simple solutions an employee, financial institution, or other user can take to protect themselves. The two main prevention methods are to block all messages from unknown senders, or prevent your device from automatically downloading MMS Messages. While this solution wouldn’t prevent you from being hijacked by someone you know, it should greatly reduce your risk.
If your phone runs the Android 4.4 “KitKat” operating system, and you use the default messaging app, open the App, go to settings, and tap “Block Unknown Senders.” If your phone runs Android 5.0, or you use Google Hangouts to send SMS and MMS, go into Hangouts’ Settings, select the SMS setting, and un-check “Auto retrieve MMS.” If neither of these are an option for your device, consider downloading a trusted third-party app that allows you to block SMS Messages from unknown senders.
Zimperium zLabs created the Stagefright Detector App to validate whether or not your device is vulnerable. It is available in Google Play at https://play.google.com/store/apps/details?id=com.zimperium.stagefrightdetector.
While Stagefright is a big deal with a huge potential for risk, at this time it is unknown if the vulnerability has yet been exploited in the “wild.” Until carriers and manufactures start releasing data on which devices have been patched, the best advice is to take the simple steps listed above and block messages from unknown devices. As always, anytime an update is available for your phone, you should download the update immediately and ensure your device is up to date. By following these simple steps, financial institutions and end-users should be able to protect themselves from this situation.
If you are looking for some additional details about mobile device security and management, the SBS Institute will be releasing a specialized certification program on mobile device management in the next few months. Contact firstname.lastname@example.org for more information.
Hacker Hour webinars are a series of free webinars hosted by SBS CyberSecurity. Unlike paid webinars, Hacker Hours are aimed to meet on a monthly basis to discuss cybersecurity issues and trends in an open format. Attendees are encouraged to join the conversation and get their questions answered. SBS will also offer products and services to help financial institutions with these specific issues.