Practical computer tips, with a smattering of digital philosophy
A severe security vulnerability has just been discovered in one of the core media-rendering components of the Android operating system. This component was introduced in Android 2.2, and the flaw affects all subsequent versions of Android, up to and including the current 5.0 (Lollipop). The flaw allows for remote arbitrary code execution through the delivery of maliciously-crafted media files to any app that relies on the “stagefright” library to process and display media.
What makes this vulnerability so bad is that the stagefright library is the primary media processing engine for all new versions of Android: apps that rely on this library include core staples such as the Android Messaging app, the Google Hangouts App, and most mobile web browsers. What’s more, many of these apps (especially Messaging and Hangouts) generally come with default configurations enabling the automatic display of incoming media files in the form of new message alerts — functionality which gives an incoming malicious media file access to the library’s security flaw without the phone’s user having to do anything at all.
Although there are many, many ways malicious media files might make their way onto an Android phone, you can significantly reduce* the attack space available to exploits targeting this vulnerability by simply disabling automatic media-loading features. In particular, I just took the following steps on my partner’s Android phone:
* In Messaging -> Settings (the button with 3 vertical dots at the upper-right hand corner of the app), I turned MMS Auto-Retrieval off
* In Settings -> Apps -> Hangouts, I disabled the Hangout app altogether, because I could find no indication that it was possible to prevent the auto-loading of incoming media content
* I checked for and installed all available updates to all of the web browsers installed on the phone
*DISCLAIMER: you should take this advice as only one suggestion that will *generally* improve the security of your mobile device against threats like the stagefright bug. These suggestions do not in any way constitute a “fix” for the stagefright bug — the only way the bug can be fixed is via an official patch for your version of Android, distributed by your phone’s manufacturer.