Read Time: 4 Minutes
Businesses beware – a new bug discovered in Google’s popular Android OS could compromise up to 950 million mobile devices. The Stagefright bug is actually a series of vulnerabilities that can theoretically be exploited by simply receiving a malicious multimedia message. While the bug has yet to be used in an actual attack, Android’s popularity, combined with difficulties in patching the bug, are leading some to call it the Heartbleed of the mobile world.
950 million people. That’s a lot, and odds are it includes many people you work with every single day. So companies that actively (such as providing workers with Android devices) or passively (through adopting a BYOD policy) rely on the use of Android devices are putting their businesses at risk.
The bug could allow attackers to compromise Android devices (those running Android 2.2 “Froyo” or later) by sending malicious multimedia messages (MMS) that use Google’s Stagefright media playback engine. Many Android applications use Stagefright to playback video files, so Stagefright has a number of permissions that it can use to access different files and directories on devices. People don’t need to necessarily open the message in order to compromise their devices, as some messaging apps allow Stagefright to parse the file as soon as it’s received. So simply receiving a malicious message could compromise your device and enable attackers to start stealing confidential data.
The good news is that the bug was discovered by security researchers in a lab – not by criminals actively using it in attacks. So the security community is ahead of the curve. Google has been notified and developed a patch for the issue. The bad news is that Google does not directly push updates to end-users (except for those with Nexus devices). The patches have currently been provided to OEMs and operators, so users are either dependent on them to get the update, or are left to assume responsibility for it on their own. According to Mikko Hypponen, F-Secure’s Chief Research Officer, this is a security concern unique to Android, and contrasts with the approach taken by other major OS vendors.
“One major challenge with Android vulnerabilities like this is the hard patch-ability of Android devices due to the ecosystem model of various manufacturers and operators having their own versions and update mechanisms. Many users cannot update at all.”
Recent data from Google suggests there are 6 different versions of Android that are widely used, with KitKat (Android 4.4) being the most popular. But it’s used by less than 40% of devices. The remaining 60% or so are spread out among the other five versions of the OS, and each is customized differently and receives varying levels of support from operators and OEMs.
This leaves IT departments in a bit of a pickle, as people using different versions will have different needs in terms of support and resources. While a company-owned fleet may have resources to ensure exposed devices are updated, companies that have BYOD policies (or do not have any mobile device policies in place) need to be more proactive in monitoring the situation, as they need to know what software (and versions) people are running. Businesses that find themselves in these situations need to take advantage of mobile fleet management solutions to monitor their fleets of mobile devices.
The enhanced fleet visibility provided by mobile fleet management tools can let IT departments notify and support end-users to ensure they’re taking the necessary security precautions to protect their companies. Many researchers have pointed out that, due to the wide variety of fragmentation in Android’s ecosystem, it may be a while before security patches are made available, making expert advice and guidance key security measures to be used in the interim.
F-Secure Labs advises Android users to examine apps that handle MMS (for example, Google Hangouts or the default messaging app) and disable their automatic retrieve/fetching options. This will prevent the automatic execution of potential exploits of any received messages, which will keep your device protected until you can patch the vulnerabilities. You should also avoid viewing or opening any media content from untrusted sources.
And it goes without saying that every mobile fleet should have a credible anti-malware solution in place, as it is the backbone of any good security strategy.
[Image by Family O’Abé | via Flickr]