950 MILLION ANDROID DEVICES AT RISK DUE TO MMS VULNERABILITY

  • 2
  • Question
  • Updated 3 years ago
  • Answered
So what is Koodo doing about the MMS vulnerability with android phone? Google has come out with several patches to fix the issue, so when do we expect to get these fixes?
http://blog.zimperium.com/experts-found-a-unicorn-in-the-heart-of-android/
Photo of Jason yeaman

Jason yeaman

  • 80 Points 75 badge 2x thumb

Posted 3 years ago

  • 2
Photo of Chad Burr

Chad Burr, Mobile Master

  • 203,988 Points 100k badge 2x thumb
Koodo, as the service provider, will push the fix as soon as Google makes it available and it's been properly vetted. If you're worried about it before then, disable auto retrieve or turn off your data.
Photo of Chad Burr

Chad Burr, Mobile Master

  • 203,988 Points 100k badge 2x thumb
From Digital Trends : What can you do to avoid being hacked?
Unfortunately there isn’t much the consumer can do. You could stop using the Hangouts app as your default messaging application, but it’s still an issue with the Messenger app as well. The only difference is that the user must look at the message, but the video doesn’t have to be played. Who isn’t going to glance at a message to see what it is?

What makes things more confusing is that the Messenger app that Drake refers to is a Google app and it’s the default SMS / MMS messaging app on Nexus devices. However, most Android phones don’t include Messenger in favor of one that is developed by the manufacturer of the phone. It’s unclear whether a hacker can gain access through something like Samsung’s own Messages app, which is found on all Galaxy phones.
Then there is the issue of the hackers needing to know your phone number, but what would stop someone from sending millions of random messages?
The good news is that hackers weren’t aware of the vulnerability, so it’s unlikely anyone is utilizing it at the moment. However, disclosures of the bugs will be released today, which means that exploiters will have enough information to start writing code.

Read more: http://www.digitaltrends.com/mobile/a...
Follow us: @digitaltrends on Twitter | digitaltrendsftw on Facebook
Photo of Woo Saa

Woo Saa

  • 150 Points 100 badge 2x thumb
Here are some instructions for the other messaging clients, Samsung [S6, but should apply for other models] included.

https://www.twilio.com/blog/2015/07/how-to-protect-your-android-device-from-stagefright-exploit.html
Photo of Woo Saa

Woo Saa

  • 150 Points 100 badge 2x thumb
Chad, you suggested turning off the data in my question as well, but that doesn't help on Carrier Locked phones.  Even with the MMS settings disabled in the APN - as soon as you connect to Wifi - MMS messages will get through.  You MUST disable Auto Retrieve as a temporary solution.

If there are no timely updates, Koodo should offer to unlock all Android phones so that the Default APN can be removed.  If you have any contacts within Koodo, please reach out to them.  If they are unwilling to unlock for free, maybe offer a discount...  Honestly, these carrier locked phones are really unnecessary - especially with the Tab system.  

Disabling Data is not an acceptable solution - some people need Mobile Data for work use....
Photo of Spence

Spence

  • 8,354 Points 5k badge 2x thumb
But I guess using the link mentioned previously by Woo Saa  would be a start to protect yourself
https://www.twilio.com/blog/2015/07/how-to-protect-your-android-device-from-stagefright-exploit.html
Photo of Woo Saa

Woo Saa

  • 150 Points 100 badge 2x thumb
I beg to differ.  I have tested this on my Note 4.  Maybe on an unlocked phone you can break this, but for some silly reason, Samsung has the Koodo APN enabled permanently.  With WiFi off - MMS messages cannot be sent or received via the custom APN I created with ALL MMS settings disabled - the message is stuck trying to send the MMS.

As soon as I connect to WiFi, the MMS message is sent out and receiving MMS is possible again.

Some carriers allow MMS messages over any Internet connections - looks like Koodo is one of them:
http://forum.xda-developers.com/showthread.php?t=2371562
Photo of Spence

Spence

  • 8,354 Points 5k badge 2x thumb
Interesting,  thanks Koodo :(
Photo of Woo Saa

Woo Saa

  • 150 Points 100 badge 2x thumb
So.  Luckily the security researchers worked with Samsung to release an APK to disable MMS.  More details on the attack and solutions/patches here:
https://blog.zimperium.com/stagefright-vulnerability-details-stagefright-detector-tool-released/

There's also an App on the playstore that will check if your phone is vulnerable:
https://play.google.com/store/apps/details?id=com.zimperium.stagefrightdetector
Photo of LairdC

LairdC

  • 5,164 Points 5k badge 2x thumb
Patches are already out for most phones in the states. I'm not sure why we just can't use those. In any case I'm not worried. It's just a potential and there is lots of those every day.

This conversation is no longer open for comments or replies.