There's no fix for Android's Stagefright hack -- Google's patch won't protect you

Think that Google's patch against the Android Stagefright hack will protect you It won't.

An estimated 950 million Android devices are vulnerable to the Stagefright hack, although Google claims only 10% of that number are vulnerable. But even that number --- 95 million --- is pretty significant.

In the hack, an attacker sends a multimedia messaging service (MMS) message carrying a malicious payload to an Android device. The attacker can then gain access to the system. In some instances, the message doesn't even have to be opened to open the  system to an attack.

Google built a patch to close the hole, and has begun delivering it to devices and to device manufacturers. But there's a big problem with it: It doesn't work. So claims Exodus Intelligence. In its blog, the security company warns:

The Stagefright hole was discovered by the mobile security firm Zimperium. Zimperium also created a free Stagefright detector app so people could see whether their systems are vulnerable. But Exodus Intelligence says that if devices use Google's faulty patch, the detector will tell people that their devices are safe, even though they aren't safe.

Exodus says that it's working with Zimperium to fix the detector. But it says that Google, so far, hasn't responded.

There is something you can do to help protect yourself, disable auto-fetching of MMS on your Android device. You'll have to disable it two places, Google Hangouts and Messages. To disable it in Google Hangouts, first open Hangouts. Then tap Options-->Settings-->SMS. In the General section, look if you have SMS enabled. If you do, go to Advanced and uncheck the box next to Auto Retrieve SMS. That disables auto-fetching in Google Hangouts.

Next open Messages. Tap More-->Settings-->More Settings-->Multimedia Messages. Turn off Auto Retrieve. That disables auto-fetching in Messages.


Preston Gralla

Zur Startseite