Cyber Security Alert: Android Devices
A vulnerability has been discovered that can affect Android versions 2.2 through 5.1, about 95% of all Android devices in use. It is located within the Stagefright media library, which is used to render Multimedia Message Service (MMS) content, such as images or videos. By default, most Android devices automatically retrieve MMS messages. Thus, an attacker can perform malicious acts (enable microphone, copy files, turn on camera, etc.) without any action on the part of the recipient. This vulnerability can also be exploited through other means, such as visiting malicious websites.
Google has created patches to address this vulnerability, and most Android devices receive updates through phone manufacturers and cell service providers (Samsung, HTC, ATT, T-Mobile, etc.). When this security patch becomes available, please update your devices. In the meantime, you can reduce your exposure to this vulnerability by disabling auto-retrieval of MMS messages.
The Cyber Security Program Office recommends that all Laboratory employees take steps to protect the data on their mobile devices by practicing safe computing:
- Require a PIN to gain access to the device.
- Enable automatic updates to receive timely software patches.
- Install software from reputable sources.
- Be cautious of strange text and e-mail messages.
If you have any question about Stagefight or best mobile devices security practices, please contact the Cyber Security Program Office at email@example.com or ext. 2-3456.