Think malware can’t affect Android or iOS? Think again. Jonathan Parkyn reveals how to find out if your phone or tablet is under attack and how to stop it
Aflaw was recently discovered in the Android operating system (OS) that could allow hackers to take control of your phone or tablet simply by sending you an infected multimedia message (MMS) – essentially a text message with a malicious video file attached.
As we reported, this so-called Stagefright bug is very serious indeed. In most cases you don’t even have to play the video or even open the message for the hacker to be able to get into your device. This is because the Android OS automatically processes most video attachments in the background.
On the upside, this means they’re ready to play when you tap them. On the downside, it means hackers can take advantage of the flaw without you needing to do anything at all.
Here we’ll answer the crucial questions about how the bug works, how to find out whether you’ve been affected, and what you can do to make your device safe.
How serious is the Stagefright flaw?
If a hacker is able to gain access to your Android device using Stagefright they could, in theory, gain system-level permissions – which more or less amounts to full control of your phone or tablet. That means they’d have unfettered access to whatever data is stored on it, including text messages, emails, photos and more. In addition, the hacker could take control of your camera and microphone, effectively turning your phone or tablet into a surveillance device to spy on you and listen in to your private conversations.
And once the vulnerability has been exploited, a hacker could cover their tracks by deleting the infected message so you’ll never even know you’ve been hacked in the first place.
Are your phone and tablet affected?
Simply put, if you’re an Android user, it’s very likely that your phone or tablet is among the vulnerable devices.
US security company Zimperium – the firm that discovered Stagefright in the first place – says up to 95 per cent of Android devices could be affected by the flaw. That’s an estimated 950 million phones and tablets worldwide.
Basically, if you’ve got an Android device running any version of the OS between 2.2 (Froyo) and 5.1 (Lollipop), it could be vulnerable.
A patch has been issued to fix the Stagefright flaw but, due to the way Android updates work, your device may not necessarily have received it yet.
Google only issues updates directly to its own Nexus-branded devices, so it’s up to individual device makers and mobile networks to issue updates to their users. Some manufacturers, such as Samsung, Sony, LG and HTC, have been quick to respond, but older, discontinued models may not receive this vital update at all.
To find out whether your device still suffers from the flaw, download Zimperium’s free Stagefright Detector app for Android (www.snipca.com/17945). Run the app and tap Begin Analysis. The app will check your device and tell you whether your phone or tablet is vulnerable to the attack.
What the tool doesn’t do is check whether you’ve already been hacked or patch the vulnerability for you.
Now here’s some good news: there’s currently no evidence to suggest that any hacker has actually managed to successfully exploit the flaw, other than the security experts who uncovered it. But given how stealthy the exploit can be, it’s very hard to know for sure.
What can you do to stay safe?
First of all, check for the latest Android updates as your device manufacturer might have issued a fix. Tap Settings, ‘About phone’, ‘System updates’ and then ‘Check for update’. Then switch off auto-fetching in your MMS settings, to prevent attachments from being download automatically to your device.
Instructions for doing so vary between messaging apps, but the process is similar. For example, to do this in Google Hangouts, open the app and tap the menu icon (three horizontal lines), Settings and then SMS. Scroll down to ‘Auto retrieve MMS’ and untick the box.
The Stagefright bug affects many other messaging apps, including the original Android Messaging app, plus Samsung Messenger, WhatsApp and more, so make sure to disable auto-fetching in whichever messaging app you use.
Bear in mind that if you manually open a malicious MMS or accidentally download an infected video, you could still end up being hacked, so treat any multimedia message with extreme caution – even those from friends and family, as it’s possible their device has been hijacked to spread the infection.
What about iOS devices?
Stagefright is an Android vulnerability; iPads and iPhones aren’t affected by it. But that doesn’t mean they’re immune to malicious attacks in general.
Earlier this year, researchers uncovered a number of security flaws in iOS and Mac OS X. Both systems are vulnerable to XARA attacks (short for ‘unauthorized cross-app resource access’), which involve a hacker getting a malicious app listed in the iTunes or Mac App Store. If you install the app, the hacker could exploit any weaknesses they find, and gain access to personal data.
Fortunately, there have been no reported examples of any Apple users falling victim to a XARA attack, but it does serve to illustrate that you should never assume your device is invulnerable. And you should always watch out for dodgy apps.
WORST MOBILE THREATS – AND HOW TO PROTECT YOURSELF
1 Viruses
Mobile viruses are real, despite what you may have heard. However, your chance of being infected by one are very small, due to the way that Google, Apple and Microsoft regulate apps sold through their official app stores. To stay safe, stick to these official sources.
2 Hackers
As Stagefright shows, hackers are constantly looking for new ways to gain control of your mobile devices without your knowledge. Check regulary for OS updates and accept updates as soon as they’re available.
3 Phishing
Fake websites, spam emails, texts and adverts that try to get you to part with personal information are as much a problem on mobile devices as they are on your PC. Use dedicated apps for banking and other sensitive transactions, rather than using your mobile browser.
4 Snooping
Unsecured Wi-Fi hotspots aren’t safe, whatever device you’re using. It’s easy for someone to snoop on your activity, so never use free Wi-Fi to carry out sensitive tasks, such as banking.
5 Lost or stolen device
By far the biggest threat to your security is physical loss or theft. Your phone and tablet contains loads of personal information that could be exploited very easily. Lock your device, keep it safe and use Google and Apple’s built-in tools to remotely locate or wipe lost devices.