Security

Android Multimedia “Stagefright” Security Flaw is Widespread and Critical

On January 25, 2016, my phone received the first clearly identifiable attempt at a Stagefright attack, through a text message with an attachment.

“Stagefright” is an Android component that processes multimedia content. On July, 28, 2015, a very serious security flaw was announced that makes it possible for an attacker to send a specially crafted MMS message that will exploit the vulnerability and allow the attacker to gain root control of the device without any action on the part of the user. For Nexus devices distributed by Google, fixes are available, but most Android devices get fixes from cell phone carriers and will get the update much later, or in many cases never. To find out whether or not your device has received patches, go to Settings->About and look for the security patch level as shown in Figure 1. The security patch level item was added in September, 2015 as part of Google’s response to the Stagefright vulnerabilities. Google now issues a new security level every month; Nexus devices generally get the update in the first week of the month.

In many cases, browsers and other applications use the Stagefright library, and there is currently no way to mitigate these attacks. This problem means that tablets with WiFi are vulnerable to the Stagefright problem.

Figure 1. Android settings->About showing Android security level
Android settings About panel showing Android security level

August 14, 2015

On August 14, 2015, I got an Android over-the-air update LMY48I for the Google Nexus 5 that I obtained directly from Google; this is the first fix for “Stagefright” MMS security flaw. But it is not a complete fix, as additional vulnerabilities in the Stagefright component have been identified. Initial announcements of this vulnerability indicated that it was present up to 5.1.1_r5, but later information indicates that the first fixes were not complete and that versions up to 5.1.1_r9 (LMY48I) are vulnerable. Google has indicated that it will henceforward distribute security fixes for Nexus devices on a monthly basis, but this is not necessarily the case for Nexus devices purchased from telephone companies, or for Android devices from other manufacturers.

September 20, 2015

On September 20, 2015, I got the first-ever monthly Android over-the-air update to LMY48M which has the second batch of fixes for the Stagefright vulnerabilities. Use

Mitigating “Stagefright” Flaw With Hangouts Settings

Hangouts is the default SMS/MMS messaging app on recent Android phones, and by default it downloads MMS content and is thus vulnerable to Stagefright. You can change the settings in Hangouts to disable auto-downloading of MMS content. This is not a complete fix, because you can still manually download and view infected MMS content that will exploit the flaw, and other applications that use the Stagefright media library are vulnerable. Figure 2 shows the Advanced Settings panel in Google Hangouts where you can disable the automatic download of media files.

Figure 2. Advanced settings in Google Hangouts showing disabling automatic download of media files
Advanced settings in Google Hangouts showing disabling automatic download of media files

Mitigating “Stagefright” Flaw With Alternative MSS Applications

In Android 4.4 and later, you can easily change the default SMS/MMS application. One way to mitigate the Stagefright vulnerability is to change your default SMS/MMS application to an one that does not automatically retrieve MMS content. I’ve used Signal, which does not automatically run MMS content and is thus less vulnerable to this security flaw than if I used the default application. It will still be vulnerable if you manually download MMS content.

Figure 3 shows the settings in Signal that disable the download of multimedia files attached to text messages.

Figure 3. Screenshot of Signal->Settings->Chats and Media showing automatic download of media files disabled in Signal to mitigate some aspects of Stagefright vulnerability
Screenshot of Signal->Settings->Chats and Media showing automatic download of media files disabled in Signal to mitigate some aspects of Stagefright vulnerability

Alternative OS for Android Phones

If your carrier has dropped support for your device and never provides a fix for the Stagefright vulnerability, in some cases you can install an alternate operating system on the phone. Cyanogenmod is a commercially distributed phone OS that may provide an alternative for some phones. This is a last resort, and for many users should be viewed only as alternative to taking a hammer to the phone. Installing Cyanogenmod requires rooting the bootloader on the phone and allows you to run with a “rooted” phone but later releases disable root access by default. Cyanogenmod offers nightly updates, and has accessible, current information on the Stagefright vulnerability.

I’ve run Cyanogenmod on a Asus TF700T tablet and on a Samsung Galaxy Tab 7.0 for several months without problems. I switched to Cyanogenmod because Asus and Samsung had abandoned support for the devices and have not provided updates in over a year. All functions have worked reliably with the exception of Swype. Device encryption require using the TWRP recovery loader rather than the older Clockworkmod recovery loader.

Getting a New Phone

If your carrier does not provide an update for your phone, and you cannot or do not want to install Cyanogenmod, the only alternative is to dispose of the phone. Unlike Apple and Blackberry devices, for Android phones, there really isn’t a good way to remove all of the personal information on a phone without rooting it and formatting it. For this reason, you should be very reticent about selling an Android phone.