In April 2015, the Android OS Stagefright vulnerability was detected by Joshua Drake of Zimperium zLabs. Two variants of the malware exist, dubbed Stagefright and Stagefright 2.0. Together they are said to affect any device running a version of Android from 1.0 to the present. This means that nearly 1.4 billion Android devices are vulnerable. The exploit gives an attacker Remote Code Execution (RCE) ability, wherein once he has gained access, he can execute commands and kick off processes without any permissions from the user.

The original malicious code required an attacker to send an MMS message to an unsuspecting user containing a malicious .mp3 or .mp4 file, thus knowing his phone number to successfully deliver the exploit. A new variant, Stagefright 2.0, infects phones if the user simply visits a website that is hosting a malicious multimedia file.¹

How It Works

The Stagefright vulnerability exploits the libStagefright library, which allows the Android OS to pre-process video files prior to a user opening the file. This library is utilized by both default Android applications, Messaging and Hangouts, which work to preview the message content as soon as it is delivered to the device. This speeds up processing time should the user want to open and subsequently download the message content. Because the OS has already previewed the file prior to a user opening it, the device can be infected, even if the message is deleted prior to opening.¹

Android devices rely on patches being pushed from the cellular carrier or handset manufacturer, which makes mitigating the risk of vulnerable devices a more daunting task than it is for Apple.

Protecting Your Device

The vulnerability has been patched in all new Android OS versions, but prior to the patch being released, disabling the Auto-Retrieve feature in the default messaging applications was used to provide a temporary mitigation against the Stagefright vulnerability. Depending on the installed version of Android and the device manufacturer, your messaging application may be named something like "Messages,” "Messenger," or another similar name.²

References:

[1] https://for585.com/4agcf (Android Central article on Stagefright)

[2] https://for585.com/0cm5y (Digital Trends article on Stagefright)