Android app tells you if you have 'Stagefright' vulnerability
Got Stagefright? Not the fear of an audience, but an Android vulnerability that could hijack your smartphone via a garden-variety MMS. The company that discovered the flaw, Zimperium, has now released a tool, the Stagefright Detector App, to at least let you know if you're patched against it. Google issued a fix a while ago, and you're protected if you have a Nexus device. But if you own nearly any other smartphone -- even a brand new one like Samsung's Galaxy S6 -- you're probably still at risk.
In fact, I checked my own Galaxy S6 Edge, and yep! If you send me an infected MMS and I'm silly enough to open the video attachment, then my phone is your phone. In fact, if I used Google's Hangouts for SMS (I don't), the app may pre-process the attachment and infect me regardless. Some devices other than Nexus aren't vulnerable -- a colleague who owns a OnePlus One with a CyanogenMod nightly is already protected. However, devices from manufacturers like Samsung, HTC and LG are still at risk, even if you paid top dollar for the latest and greatest flagship (ahem).
If you receive a video MMS from somebody you don't know, then of course, don't open it.
The Stagefright Detector app lets you know if you're vulnerable, though it's no cure. The app told me I wasn't patched against CVE-2015-3827 and -1538 flaws, but didn't point me to any advice on how to fix the problem. Instead, it directed me to contact Zimperium for reasons unknown. Nevertheless, the company does have a blog post on how to handle the vulnerability -- in a nutshell, if you're using Hangouts as your SMS app, you'll need to disable "Auto Retrieve MMS." And if you receive a video MMS from somebody you don't know, then of course, don't open it.
It's still not clear how many people this has affected, though Zimperium said most Android phones are affected. The flaw highlights how Android's fragmentation problem leaves the platform much more vulnerable to attacks than iOS -- when Apple issues a patch, every iPhone owner gets it. Zimperium recently launched an alliance to address that problem, and said that 25 of the largest global carriers and handset makers are already on board. The goal is to get around the usual Android update delays and help manufacturers get critical security patches into consumers' hands more quickly.
Update: Zimperium told Engadget that its "contact me" form allows it to "anonymously collect CVE and fingerprint the device was vulnerable to. We'll share this information with ZHA (Zimperium Handset Alliance) members to help to patch most of the Android OSs."
