Android still hasn't fixed the Stagefright vulnerability. Jack Wallen explains how you can tell if your device is affected and what can you do about it.
By now, you've most likely heard about the Stagefright vulnerability that currently plagues the Android platform. This flaw allows attackers to snatch data without you having to do a single thing. At the moment, very little can be done about this issue (until Google and carriers patch the platform). In the meantime, your best bet is to (at least) not use Google Hangouts for your default messaging app (see my previous post on the issue "Major flaw in Android texting discovered").
But how do you even know if your device is vulnerable? Fortunately, the good people at Zimperium Mobile Security have created an app that will scan your device and check it against the Stagefright vulnerability. Unfortunately, the app doesn't do anything about the vulnerability (other than allow you to contact Zimperium through their web-based contact form). But in this case, even knowing will help you remain safe.
Let's install this app, run it, and contact the app developer (should the device show up vulnerable).
Installation is simple:
- Open the Google Play Store from your Android device
- Search for stagefright detector
- Locate and tap the entry by Zimperium INC
- Tap Install
- Read the permissions listing
- If the permissions listing is acceptable, tap Accept
- Allow the installation to complete
At this point, you can tap Open or locate the app launcher from either the home screen or the app drawer. When the app opens, tap BEGIN ANALYSIS and allow the app to run through its testing.
The test should take just a few seconds, and it will (most likely) report that your device is vulnerable (Figure A).
The Stagefright Detector reporting the vulnerability on a Verizon-branded Nexus 6.
Once the scan is complete, tap the contact us link, and you'll be directed to the Zimperium website, where you can contact the company through a simple form. Unfortunately, that's all you can do. The contact page doesn't allow you to even enter the device make/model or have any information regarding the flaw (it's really just a "Contact Us" form).
I ran this app against a few different Android devices, and all of them came up vulnerable.
What can you do?
There is one thing you can do to help further protect your device, and that's to disable auto-fetching of MMS messages on your device's default SMS app. Since Hangouts is the most vulnerable app to Stagefright, let's disable auto-fetching on that. Here are the steps:
- Open Hangouts
- Tap the menu button in the upper left corner
- Tap Settings
- Tap SMS
- Locate and disable Auto retrieve MMS (Figure B)
Disabling auto-fetching for Hangouts.
I would suggest leaving this feature disabled until your device is patched and is no longer vulnerable against Stagefright. Hopefully, Google will release the patch quickly (and carriers won't stand in the way of the patches rolling out) and you'll never suffer from Stagefright.
Did your device come up vulnerable? If so, what was the make, model, and carrier? Share your experience in the discussion thread below.