Last week, security researchers revealed several high-severity vulnerabilities related to Stagefright, a native Android media player library. The vulnerabilities leave close to a billion devices open to remote code execution. Attackers can exploit the vulnerabilities by sending a specially designed media file via multimedia messaging service (MMS) or another channel to a victim’s mobile device. Victims may not even have to open the message to be vulnerable, and in some cases victims can become vulnerable by visiting a Web page hosting the malicious file or accessing the file via a separate Android application.
What does this mean for end users and enterprises? Here are some immediate recommendations:
End users should disable the “auto-retrieve” function from their MMS settings. A quick and easy-to-follow guide can be found here. A patch has been released, but it may take a while for the patch to reach the billion vulnerable devices, as device manufacturers have to now release patches for each type of device. Therefore, until you are confident that your device has been patched, the device remains vulnerable and can be compromised if a malformed media file is downloaded.