How serious is the Android Stagefright vulnerability?

[Bill Mayhew]

According to Forbes.com, an announcement is scheduled for the Blackhat conference August 2015.  The exploit reportedly leverages flaws in the resident video handler called Stagefright.  According to Forbes, a specially crafted multimedia SMS containing a video clip can be used to remotely trigger the exploit.  The apparently bad news is that if Google Hangouts is installed, the expolit can be triggered with no user interaction on the part of the recipient.  Hangouts' behavior is to always automatically immediately download any MMS video content, then cache the content in Gallery.  Thus, it appears there is no way to prevent the exploit from running if Hangouts is the devault MMS handler.

To me, that sounds fairly serious, but the web site Android Centrsl treats the threat almost dismissively.

For a hopeful work-around:  what I did was to install Google Messenger via the Play Store application, and then disable Hangouts in Settings/Apps.  I then opened Messenger and accessed the settings.  In settings, make sure messenger is the default MMS app, and uncheck Auto-retrieve.  This should allow you to safely skip over sny suspicious MMS texts.  I only get one or two texts a month, so for extra caution, I used my carrier's web site to manage my account to disable texting until a definite fix is out.

Does anybody have a fact based opinion on how seriously we should take this apparent vulnerability?

References:

http://www.forbes.com/sites/thomasbrewster/2015/07/27/android-text-attacks/

http://www.androidcentral.com/stagefright-exploit-what-you-need-know

[Laura Knotek]

I'm not a writer at AndroidCentral, but I'm one of the moderators at their forums. I don't use Hangouts for SMS/MMS, nor do I use Google Voice.

[Bill Mayhew]

Just a note: I don't have a problem with Android Central's reporting.  It is just curious that we seem to have a disconnect between sources about how worried we should be.  Forbes seems to be reasonably good at avoiding breathless hyperbole, however Forbes is not primarily a computer journal.

To me, the potential vulnerability seems pretty serious.  Any MMS text messaging facility (or other software) that allows video playback using the Stagefright frame work is at risk.  For example, I believe the Firefox browser version for Android was vulnerable because it uses Stagefright, however Firefox has already been patched.

The text messaging facility is more problematic because of the way the system integration is handled.  It sounds like a system update will be needed to fix the problem, and indeed Google had patches ready as far back as April 2015, however the distribution to wireless carriers and pushing out to customers could take months.  Older phones that are off carriers' radar screens might not be patched in a timely fashion, if carriers take any action at all.

In the mean time, it seems like the best action to take is to disable Google Hangouts because Hangouts apparently can not be stopped from processing MMS video through the Stagefright framework before the user is even aware there is an incoming message.  The older Messenger application is also risky because a user can still be tricked to opening an enticing infected MMS, but at least it is possible to set Messenger not to allow Auto-retrieve.

[Donald Parsons]

On Mon, 2015-07-27 at 21:03 -0700, Bill Mayhew wrote:
> Just a note: I don't have a problem with Android Central's reporting.
> It is just curious that we seem to have a disconnect between sources
> about how worried we should be. Forbes seems to be reasonably good at
> avoiding breathless hyperbole, however Forbes is not primarily a
> computer journal.

The Register had a writeup about this yesterday too:

http://www.theregister.co.uk/2015/07/27/android_phone_text_flaw/

Sounds serious. Would be worried if I had activated my phones (I just
use WiFi and VoIP).