Photo - Ruchna Nigam, Security Researcher at Fortinet's FortiGuard Labs
Echoing national cyber security specialist agency CyberSecurity Malaysia's warning about the 'Stagefright Bug', network security provider Fortinet's advisory includes a warning that 95 percent of Malaysian Android users could be at risk from the 'Stagefright Bug.'
Ruchna Nigam, security researcher at Fortinet's FortiGuard Labs, said the Stagefright flaw posed a serious threat to Android phone users, which some researches have described as "one of the worst ever Android vulnerabilities discovered to date", 'Stagefright Bug' allows a phone hack just by receiving and without even opening a malicious MMS by Android devices running Android 2.2 or higher.
Nigam confirmed that vulnerability "puts 95 percent of Android devices at risk of being hijacked. The vulnerability is considered particularly serious since it can be exploited without any user interaction."
"Other exploits and malware for Android phones typically require some sort of user interaction such as installing an application, clicking a link, or opening an MMS. What's even worse is that the received message can also be deleted, leaving no trace of an attempted attack on the victim's phone," she said.
The hijack worked by taking advantage of Android's built-in media library that processes several popular media formats, said Nigam, adding that a malicious media file can be crafted and delivered to a user's mobile phone via MMS. Upon receiving the 'message', the application responsible for handling such messages displays a preview of the received message in the Notifications Shade. An effective exploit would result in the vulnerable code being triggered on the phone.
"All an attacker needs is the victim's phone number to get the 'Stagefright' exploit to work," she said. "Devices running unpatched Android versions earlier than 4.1 'Jelly Bean' have been deemed the most at risk due to inadequate exploit mitigations."
In addition, Nigam said this vulnerability also affected Mozilla Firefox - which makes use of the same library on all platforms except Linux. It has been patched in Firefox version 38 and users are advised to upgrade their browsers.
Fortinet's security experts advise Malaysian smartphone users to take the following precautionary measures:
1. Disable auto-downloading of MMS messages in apps used to handle such messages, such as your default Android Messaging application, Google Hangouts or any other application you may use to receive/ manage phone messages.
2. Update Android-based phone OS. Patches for some popular OS versions are either being rolled out or have already been made available (CyanogenMod & Blackphone).
- Patched in CyanogenMod versions 12.0 & 12.1 nightly: https://plus.google.com/+CyanogenMod/posts/7iuX21Tz7n8
- Patched in BlackPhones with PrivatOS version 1.1.7
- Updates for Google Nexus phones will be rolled out starting this week.
Sign up for CIO Asia eNewsletters.