Koodo Community

Community

Solved

950 MILLION ANDROID DEVICES AT RISK DUE TO MMS VULNERABILITY


So what is Koodo doing about the MMS vulnerability with android phone? Google has come out with several patches to fix the issue, so when do we expect to get these fixes?
http://blog.zimperium.com/experts-found-a-unicorn-in-the-heart-of-android/

10 replies

Userlevel 7
Koodo, as the service provider, will push the fix as soon as Google makes it available and it's been properly vetted. If you're worried about it before then, disable auto retrieve or turn off your data.
Userlevel 7
From Digital Trends : What can you do to avoid being hacked? Unfortunately there isn’t much the consumer can do. You could stop using the Hangouts app as your default messaging application, but it’s still an issue with the Messenger app as well. The only difference is that the user must look at the message, but the video doesn’t have to be played. Who isn’t going to glance at a message to see what it is? What makes things more confusing is that the Messenger app that Drake refers to is a Google app and it’s the default SMS / MMS messaging app on Nexus devices. However, most Android phones don’t include Messenger in favor of one that is developed by the manufacturer of the phone. It’s unclear whether a hacker can gain access through something like Samsung’s own Messages app, which is found on all Galaxy phones. Then there is the issue of the hackers needing to know your phone number, but what would stop someone from sending millions of random messages? The good news is that hackers weren’t aware of the vulnerability, so it’s unlikely anyone is utilizing it at the moment. However, disclosures of the bugs will be released today, which means that exploiters will have enough information to start writing code. Read more: http://www.digitaltrends.com/mobile/android-stagefright-mms-hack-news/#ixzz3hCVguWBD Follow us:@digitaltrends on Twitter | digitaltrendsftw on Facebook
Here are some instructions for the other messaging clients, Samsung [S6, but should apply for other models] included.

https://www.twilio.com/blog/2015/07/how-to-protect-your-android-device-from-stagefright-exploit.html
Chad, you suggested turning off the data in my question as well, but that doesn't help on Carrier Locked phones.  Even with the MMS settings disabled in the APN - as soon as you connect to Wifi - MMS messages will get through.  You MUST disable Auto Retrieve as a temporary solution.

If there are no timely updates, Koodo should offer to unlock all Android phones so that the Default APN can be removed.  If you have any contacts within Koodo, please reach out to them.  If they are unwilling to unlock for free, maybe offer a discount...  Honestly, these carrier locked phones are really unnecessary - especially with the Tab system.  

Disabling Data is not an acceptable solution - some people need Mobile Data for work use....
Userlevel 5
Woo Saa wrote:

Chad, you suggested turning off the data in my question as well, but that doesn't help on Carrier...

MMS wont get thru on WiFi if you are using the standard Messaging app.   MMS needs Data, will not work on wifi.
And at this point its just a vulnerability.
Userlevel 5
Woo Saa wrote:

Chad, you suggested turning off the data in my question as well, but that doesn't help on Carrier...

But I guess using the link mentioned previously by Woo Saa  would be a start to protect yourself
https://www.twilio.com/blog/2015/07/how-to-protect-your-android-device-from-stagefright-exploit.html
Woo Saa wrote:

Chad, you suggested turning off the data in my question as well, but that doesn't help on Carrier...

I beg to differ.  I have tested this on my Note 4.  Maybe on an unlocked phone you can break this, but for some silly reason, Samsung has the Koodo APN enabled permanently.  With WiFi off - MMS messages cannot be sent or received via the custom APN I created with ALL MMS settings disabled - the message is stuck trying to send the MMS.

As soon as I connect to WiFi, the MMS message is sent out and receiving MMS is possible again.

Some carriers allow MMS messages over any Internet connections - looks like Koodo is one of them:
http://forum.xda-developers.com/showthread.php?t=2371562
Userlevel 5
Woo Saa wrote:

Chad, you suggested turning off the data in my question as well, but that doesn't help on Carrier...

Interesting,  thanks Koodo 😞

Woo Saa wrote:

Chad, you suggested turning off the data in my question as well, but that doesn't help on Carrier...

So.  Luckily the security researchers worked with Samsung to release an APK to disable MMS.  More details on the attack and solutions/patches here:
https://blog.zimperium.com/stagefright-vulnerability-details-stagefright-detector-tool-released/

There's also an App on the playstore that will check if your phone is vulnerable:
https://play.google.com/store/apps/details?id=com.zimperium.stagefrightdetector
Userlevel 3
Woo Saa wrote:

Chad, you suggested turning off the data in my question as well, but that doesn't help on Carrier...

Patches are already out for most phones in the states. I'm not sure why we just can't use those. In any case I'm not worried. It's just a potential and there is lots of those every day.

Reply