The Stagefright Bug: Description and Mitigation

I love my Android phone. I’m glad I upgraded from the iPhone. However, a serious flaw was discovered that affects nearly one billion (yes, with a “b”) Android devices. That bug allows an attacker to send a single MMS (multimedia) message that could allow the attacker to access data, devices and apps on the device.

The name of the bug is “Stagefright” after the Stagefright Android subsystem library which is part of Android. There are actually seven bugs in the “package”. Before anyone gets too worried, let me say that Google has released a patch for the bugs. However, the way bug fixing works for Android, individual carriers have to send out patches to the devices – it can take weeks or months to release a fix due to the required testing.

You can go a long way toward protecting yourself by turning off automatic retrieval of MMS messages. The makers of the Lookout tool for Android describe the method for various message-reading apps and also say that “Lookout protects devices from malware delivered using Stagefright exploits.” I have used Lookout since I purchased my Android phone.

Configuring MMS
Configuring MMS

There are three things required to exploit the bug on your phone: the attacker needs to have your phone number (that should be a no-brainer), you must automatically retrieve MMS messages, and the attacker must send you a specially-crafted MMS message.

This brings up an interesting point. Should carriers look for known vulnerabilities such as the Stagefright bug’s signature and block those messages? What about ISPs blocking files with known virus signatures or other known malware? In my mind these are two entirely separate cases. In the latter you control the device and in the former the provider (usually) controls the software run on the device. Each does allow some form of anti-malware software.

In Android devices, the provider both sends the data (if sent over the provider’s network as in MMS messages) and controls the device OS. In this case the system is relatively closed and so perhaps the carrier should indeed block the malicious messages.

In the case of data delivered over the Internet directly, the scale is so large that a) providers are unlikely to be able to process the data, and b) the providers have no idea what devices the user has deployed. It would surely be nice never to have to worry about malware on the Internet, though. Connections would likely be faster and compromises would be a thing of the past. Such a Utopia seems far off, however, and I’m not holding my breath.

I have two action requests this week: 1) turn off auto-retrieval of MMS messages on your Android devices. I have and I have shared the instructions with my wife. 2) look into some sort of malware protection for your device if you don’t have it. I use Lookout, as I mentioned above. This isn’t an endorsement from me or from Learning Tree, it’s just a note about what I use. Use something, though.


To your safe computing,
John McDermott

Type to search

Do you mean "" ?

Sorry, no results were found for your query.

Please check your spelling and try your search again.