This one's a doozy.
Experts at Zimperium Mobile Securityhave found a stunning vulnerability in almost all Android-based mobile phones.
This vulnerability allows a remote attacker to take over a victims phone by doing nothing much more than sending a specially crafted video via MMS. No interaction on the part of the victim is required!
The video triggers an internal Android program termed "stagefright", which trips up over the malformed video and allows the attackers program (embedded into the video) to run.
At this point, the attacker can do many things, including:
- Delete stuff
- Change stuff
- (Scary) remotely access phone content without the owner even being aware of it.
Saving yourself from this vulnerability requires you to update the Android phone OS. Unfortunately, except for those who are using Google phones (Such as the Nexus) or those phones under the Google One program (limited models of Micromax, Spice, Karbonn) this is not an option.
Most phone manufacturers are very slow at providing updates. Usually, phones over 18 months old will not receive updates at all.
So, short of buying a new Android phone, what are the options available to avoid this vulnerability?
If you are tech-savvy, or know someone who is, you can opt to root your phone and disable StageFright. However, this option is not for everyone.
The simplest thing you can do to prevent this is to disable MMS if you are not using it at all.
To disable MMS: On most Android phones, go to Settings->More->Mobile Networks->Access Point Names.
Among the list of access points, you will find certain marked as MMS. Touch each one, then change the following settings to junk values:
- APN
- Proxy
- Port
- Password
- MMS Proxy
- MMS Port
- Uncheck APN enable/disable (most models do not have this option)
 |
| Sequence to disable MMS : click to see full size |
You can restore it easily if you like by going to the APN settings page. Touch the menu button, and choose "Restore settings to default."
Also suggested is to disable the Google Hangouts app from being the default messaging app. To do this : Open the Hangouts app, then slide open the settings pane. Choose "Settings"-> "SMS"-> SMS enabled, and change the setting to disabled.
