Information Technology Services (ITS)

Stagefright Android Vulnerability Advisory

Published on: July 30, 2015

A new vulnerability has been discovered in Android’s operating system that allows unauthorized access to user’s Android device, including all apps, content, camera and microphone by sending a text message to the user with malicious code.

What is Stagefright?

Stagefright a “benign piece of software code that governs how some mobile devices receive and process certain media files” according to Zimperium, IT security experts who discovered the bug.  An unknown user could exploit the vulnerability identified in this code to send a “specially crafted media file” to a device for which they know the number. The device owner may see a notification of a new message pop-up on their screen, but otherwise, everything else looks normal. Unlike phishing and other spam emails with bugs that require the user to open the file to enable malicious software, Stagefright requires no action on behalf of the user. A more sophisticated attack could make the SMS message notification disappear before the user even notices it.

How to protect your Android phone from the Stagefright bug?

Android devices after and including version 2.2 are vulnerable.  To protect your device, we recommend Android users disable Auto Retrive of MMS (Multimedia Messages) on their devices as follows:

To disable Auto Retrieve MMS (default Android Message App), go to:

  • Go to your Messages app
  • Go to Settings
  • Locate settings for multimedia messages
  • Disable Auto retrieve

For other helpful examples on how to disable Auto Retrieve in Google Hangouts, default Android SMS App, and or Samsung S6 go to the Twilio Blog for step-by-step instructions.

Further updates will be published as they become available.