Stagefright is the worst Android malware ever discovered. Learn how to protect yourself from being attacked.
Earlier this week, security researchers unveiled a vulnerability that is believed to be the worst Android vulnerability yet discovered. The “Stagefright” bug exposes nearly 1 billion Android devices to malware. The vulnerability was found in “Stagefright”, an Android media library. Hackers can gain access to a device by exploiting the vulnerability and can then access contacts and other data, including photos and videos, and can access the device’s microphone and camera, and thus spy on you by recording sound and taking photos.
The scary part is that hackers only need your phone number to infect you. The malware is delivered via a multimedia message sent to any messenger app that can process MPEG4 video format - like an Android device’s native messaging app, Google Hangouts and WhatsApp.
As these Android messaging apps auto-retrieve videos or audio content, the malicious code is executed without the user even doing anything - the vulnerability does not require the victim to open the message or to click on a link. This is unique, as mobile malware usually requires some action to be taken to infect the device.
The malware could also be spread via link, which could be sent via email or shared on social networks. This would, however, require user interaction, as the video would not load without the user opening a link. This exploit is extremely dangerous, because if abused via MMS, victims are not required to take any action and there are neither apparent nor visible effects. The attacker can execute the code and remove any signs that the device has been compromised, before victims are even aware that their device has been compromised.
Cybercriminals can take advantage of the vulnerability to collectively spy on millions of people - and even execute further malicious code. Repressive governments could abuse the bug to spy on their own people and enemies.The vulnerability could also be used for non-political spying. Hackers can easily spy on people they know, like their spouse or neighbour - all they need to know is their victim’s phone number.
Hackers can also steal personal information and use it to blackmail millions of people, or use the data for identity theft. The possible consequences of this vulnerability need to be taken seriously.
Now comprehensive fixes need to be provided by the phone’s manufacturers in an over-the-air (OTA) firmware update for Android versions 2.2 and up. Unfortunately, updates for Android devices have historically taken a long time to reach users. Hopefully, manufacturers will respond quicker in this case. On a positive note, Google has already responded. HTC told Time “Google informed HTC of the issue and provided the necessary patches, which HTC began rolling into projects in early July. All projects going forward contain the required fix.”
We recommend users disable “auto retrieve MMS” within their default messaging app’s settings, as a precautionary measure for the moment. We have put together step-by-step instructions on how you can disable auto retrieve for MMS in various Android messaging apps. Please visit
Avast Threat Intelligence has identified a new advanced persistent threats (APT) campaign targeting government agencies and a government data center in Mongolia.
Our Aposemat Team has been testing the capabilities of IPv6 and how malware could take advantage of it. One of the topics explored was exfiltration of data via the IPv6 protocol, which we discuss in this post.
Popular banking services, including PayPal, Revolut and Venmo, allow users to request money from others with a few easy steps. Although simple, this functionality could increase the likelihood of related spearphishing attacks.