Leave a comment

Every Android gadget at risk from new security flaw

You might remember a few months ago we told you about a huge flaw in Android called Stagefright. It let hackers run malicious code on your Android smartphone or tablet by sending you a simple text message. Because of the way it worked, it left more than 900 million gadgets worldwide vulnerable.

Google, carriers and smartphone manufacturers are still rolling out fixes, but on the whole the problem is under control. However, the same person who discovered the first flaw, Joshua J. Drake of Zimperium Mobile Security, has kept digging and turned up a few more problems in the same system that potentially affect every Android gadget out there, which is more than a billion. So, what does Stagefright 2.0 look like?

The problem

Stagefright 2.0 actually consists of two flaws. One affects every Android gadget from Android 1.0 to the present. The other only works on Android 5.0 and up.

The flaws rely on how Android handles music and video files, specifically the metadata. The metadata usually contains information like the song or video title, album, how often you've played it, etc.

However, if a hacker puts malicious code in that section, and you even preview the file, Android will run the code without checking to see what it is. It could attempt to install a data-stealing apps to try taking over your phone completely. We say "attempt" because the Android system itself is still fairly tough to crack.

That could be one reason hackers don't seem to be doing much with Stagefright 2.0 yet. Also, Google already has a fix it will be rolling out later this month, but it's never good to take chances.

The solution

One way to minimize your risk is to only download MP3 files that you've converted yourself, or that you get from a reputable store like iTunes, Google Play or Amazon. Grabbing music from sketchy sites or file-sharing services is not a good idea at any time, but it's especially bad now.

Similarly, you also should avoid downloading MP4 video files online. That actually isn't a problem for most people because you're more likely to stream video from reputable sites like YouTube or Netflix. Unfortunately, hackers still have some tricks up their sleeve that you need to know about.

For example, tapping a link in a phishing text or email could send you to malicious website with an embedded MP3 or MP4 file. From there, it could pop up a notice asking if you want to play it with your default media player. If you don't stop to think you might do it.

The usual rules for phishing attacks apply here. Don't tap on links or download attachments from suspicious or unsolicited email and texts. And definitely don't let any audio or video run that you didn't ask to run.

Another route hackers could take is to trick you into installing a malicious app that accesses the Stagefright code libraries. This gives them the same access they'd get with a malicious media file.

As always, don't install apps that aren't from Google Play or the Amazon App Store. Even in reputable stores, be on the lookout for apps that are brand new and that ask for media access permissions. Want to know more about approving permissions and how apps use them to put your privacy at risk? Click here for the full scoop.

Stagefright isn't the only danger to your smartphone or tablet. Learn seven essential steps you need to take to secure your smartphone or tablet now against the most likely threats you'll encounter.

Next Story
View Comments ()
Phew! That scary Windows update was a glitch not a hack
Previous Happening Now

Phew! That scary Windows update was a glitch not a hack

Crowdfunding site hit by major data leak
Next Happening Now

Crowdfunding site hit by major data leak