Stagefright: Everything you need to know about Google’s Android megabug by Robert Hackett @FortuneMagazine July 28, 2015, 5:07 PM EDT E-mail Tweet Facebook Google Plus Linkedin Share icons Stagefright? What? Huh? That’s what you’ve been asking yourself ever since the Internet erupted yesterday over the announcement of a big computer bug in Google’s Android operating system. In fact, you might still be wondering: Is my phone safe? Wait, the Internet erupted? Did it actually explode? (Is that even possible?) Thankfully, no. I mean maybe, but as long as you’re still able to read this then I think we’re doing okay. Anyway, for those who still have questions about all the hullabaloo, Fortune has drafted a friendly Q&A to help you understand what happened, and why it is a problem that still needs fixing. What is stage fright? Stage fright is the nervous sensation a presenter feels before appearing publicly. (Say, for example, at a major security conference next month.) Stagefright, on the other hand, is the nickname of a terrible Android flaw found in the open source code of Google’s Android operating system. The vulnerability, disclosed on Monday, may be the worst one to date. It puts 95% of Android devices—950 million gadgets—at risk of being hacked. Where does the name come from? “Stagefright” is the name of the media library—a portion of Android’s open source code—in which the bugs were found. It’s obviously a great bug name, too. No lie. What does that media library do? Stagefright—the library, not the bug—helps phones unpack multimedia messages. It enables Android phones to interpret MMS content (multimedia message service content), which can contain videos, photos, audio, text, as opposed to, say, SMS content (short message service content), which can contain only 160 characters. The bugs are in that library. Wait, I thought you said Stagefright is a bug, not bugs? Okay, okay. So Stagefright is a collection of bugs, if you want to be technical. Seven to be exact. If you want to get real technical, their designations are: CVE-2015-1538, CVE-2015-1539, CVE-2015-3824, CVE-2015-3826, CVE-2015-3827, CVE-2015-3828, and CVE-2015-3829 But for our purposes, I’ll just refer to them collectively as Stagefright. A singular bug set; one vulnerability. Fine, that seems easier. Why should I care about it? Well, if you’re an Android user then your device is probably vulnerable. Is that bad? That means an attacker can infect your device simply by sending you a malicious MMS message. (Remember that acronym? Multimedia message service.) In fact, a victim doesn’t even have to open a booby-trapped message for the attack to spring. Once the message received, your phone is toast. Er…that doesn’t sound good. Right. Once inside, an attacker can access your phone’s data, photos, camera, microphone. What’s worse is that a clever baddie can delete the booby-trapped message from your phone before you even realize that your device has been compromised. So basically, yeah it’s bad. That does sound bad. Yup. And it gets worse! Imagine this scenario: Someone attacks your phone, steals your contact list, automatically targets those devices—rinse, repeat. Now everyone’s infected. That’s what we like to call a computer worm. How long has this been the case? About five years. What?? You mean my phone has been open to attack this whole time??? Yes. Surely, Google must have patched it by now! You’re right! Google patched the bugs right away. The company learned about one set of vulnerabilities in April and another set in May. The person who discovered the problems—Joshua Drake, a researcher at the mobile security company Zimperium zLabs—says he provided patches, and Google GOOG adopted them within two days. (The company reportedly paid him $1,337 for his work.) Woohoo! So I’m safe? Nope. The problem isn’t fixed. What? Huh? Why? That’s because Google’s Android ecosystem relies on its partnering phone-makers to push out software upgrades. That means Samsung, HTC, LG, Lenovo, Motorola, Sony, among others, are responsible for delivering the patches to customers. Have they done so yet? CyanogenMod, Mozilla, and Silent Circle’s Blackphone have. I don’t use those… Then you’ll have to wait. The other companies have issued statements that basically say, “We’re working on it.” You can read them here. Is there a way to test whether I’m vulnerable? If you’re using a phone that runs on Android version 2.2 or above, you may as well assume you’re at risk. The most vulnerable phones predate Jelly Bean (version 4.1), and that accounts for about 11% of Android phones on the market. (We’ll add a link to a test when one comes to our attention but, unfortunately, there’s nothing available yet—at least that we know of. Though it would be pretty cool if someone came up with one. Nudge nudge, wink wink.) Why are post-Ice Cream Android phones better off? As Google Android’s lead security engineer explains here, that’s about the time that Google put in place some strong exploit mitigation technologies, like one called Address Space Layout Randomization. “This technology makes it more difficult for an attacker to guess the location of code, which is required for them to build a successful exploit,” Adrian Ludwig writes. He goes on: “(For the layperson — ASLR makes writing an exploit like trying to get across a foreign city without access to Google Maps, any previous knowledge of the city, any knowledge of local landmarks, or even the local language. Depending on what city you are in and where you’re trying to go, it might be possible but it’s certainly much more difficult.)” You can find a list of similar security technologies implemented since Ice Cream (version 4.0) here. So I get that I should pressure my phone-maker to push out the fixes. What about my wireless carrier? Well, if your wireless carrier was real cool, it could create a signature for Stagefright-based attacks, and block those threats on its network. Fiat Chrysler recently worked with Sprint to make its cars much less hackable that way. Your carrier could also help make sure the fix works for older versions of Android, too, rather than just making sure the latest version is protected. The security researcher Nicholas Weaver recently made this point on Twitter. https://twitter.com/ncweaver/status/626067586568974336 He suggested something similar for Google, too. https://twitter.com/ncweaver/status/626058358437482496 Can I do anything else to be safer? First, ask your device manufacturer for an update: When will a patch be available and will you be covered? You might also consider changing the settings on your Android apps that use MMS, like Messaging and Hangouts. Un-click “automatically retrieve MMS messages.” In the meantime, consider using Snapchat or WhatsApp to swap clips, GIFs, and whatnot. Other than that, keep your phone number private, I guess? Drake, the guy who found the flaw, plans to present more details at the Black Hat conference next month. Okay, thanks for the tips. If I have any other questions, can I call you? No, sorry. My phone number is private information. Just testing you! Ah I see what you did there, you jokester!