A critical vulnerability in Android's multimedia playback engine is easy to exploit, requires no user interaction, and affects 95 percent of Android devices. That is an estimated 950 million devices.
The vulnerability is trivial to exploit. Purportedly, all the hacker needs is your phone number and a maliciously crafted media file to infect your Android device. This is possible due to the Android's media playback engine, stagefright, and how it handles media.
Android's message apps, Messaging and Hangouts, come with a default setting to automatically download incoming messages. This app opens the malicious media file without user interaction. Additionally, the text could be deleted once the malware is executed. As a result, the user is completely unaware of what has happened on their device. They receive no interaction and no pop-up warning.
Due to the severity of this vulnerability, Maverick recommends the following instructions be implemented immediately. This will protect you from the automatic exploitation of your device until patches are released.
- Open your default messaging app -- the one that brings you texts, as well as picture and video messages. If you're not sure which one that is, go into your phone's settings, select the "more" item under the Wireless & Networks section and look for "Default messaging app."
- Open that app, go to its settings and find the option for auto-retrieving multimedia messages (You may have to dig into "advanced settings," as in the Message+ app on the HTC One M9 – for example).
- Uncheck that box.
As always, if you have questions or require further assistance, feel free to contact your Maverick cyber-security concierge. 855-648-7925.