Android's StageFright Vulnerability

  • 93
  • Article
  • Updated 3 years ago
  • (Edited)
Archived and Closed

This conversation is no longer open for comments or replies and is no longer visible to community members.

Attention Android users! A security risk known as StageFright has been discovered on Android phones. While Google is working on a fix, see below for how to protect yourself now.

What is StageFright?

A recently uncovered vulnerability knows as “StageFright” in the Android operating system can be triggered without any user interaction or simply by opening a Multimedia messaging Service (MMS) text leading to the device to be compromised.

What is Koodo doing to protect customers?

Protecting our customers’ information is out top priority.  Koodo has engaged Google and device manufacturers to ensure we are on top of any developments. Manufacturers are currently working on software updates to repair this vulnerability which will be pushed to customers as soon as it’s available.

How can customers protect their phone?

At this time the extent of this vulnerability is unclear, as a precaution customers can be proactive in the interim and help reduce risk by follow the suggestions below:

  • Disable the automatic download of MMS messages on your Android device
  • Avoid opening text or MMS messages from unknown individuals
  • Update your operating system once a patch is available

Good to know: Android users will see a notification on your phone, asking you to install updated software when it is available.

How to disable the automatic download of MMS messages on your Android device:

If this is your messaging app then follow these steps on your phone:

Google Hangouts

  1. Navigate to Account > Settings > SMS
  2. Uncheck Auto-Retrieve MMS

Google Messenger (Nexus & Motorola Devices)

  1. Tap the three dots in the top right corner of the screen
  2. Navigate to Settings > Advanced
  3. Uncheck Auto –Retrieve

Samsung Galaxy S6 SMS application

  1. In the messages app, navigate to More > Settings > More Settings > Multimedia messages
  2. Uncheck Auto-Retrieve

Alcatel, LG, Sony and HTC SMS app

  1. In the messages app, tap the three dots in the top right corner of the screen or the Menu key
  2. Navigate to Settings > Multimedia messages
  3. Uncheck Auto-Retrieve
 OEM - Model - Patch Target Release:
  • HTC - One M9 - August 14
  • LG - Nexus 5 - August 7
  • LG - Nexus 4 - August 7
  • Samsung - Galaxy S5 - August 7
  • Samsung - Galaxy S5 Active - August 7
  • Samsung - Galaxy Grand Prime - August 21
  • Samsung - Galaxy S6 - August 2
  • Samsung - Galaxy S6 Edge - August 2
  • Samsung - Galaxy S4 - August 28
  • Samsung - Galaxy Note 4 - August 11
  • Samsung - Galaxy Core - September 4
Photo of Koodo Mobile

Koodo Mobile, Employee

  • 1,912 Points 1k badge 2x thumb

Posted 3 years ago

  • 93
Photo of Paul Deschamps

Paul Deschamps, Mobile Master

  • 203,372 Points 100k badge 2x thumb
Already received the stagefright fix on my Galaxy S6 so if you have a Galaxy S6 or Galaxy S6 Edge go check for said update now. The update is 291mb so update over wifi if possible to avoid using up your very limited data from Koodo. Also be prepared to not use your phone for about 10 minutes while the update installs like always.

On a side note
Samsung and other Android manufacturer's will soon begin pushing out updates on a monthly basis to help avoid any future vulnerabilities.
Photo of Ryachu

Ryachu

  • 60 Points
Still No Samsung Galaxy S4 Update...
Photo of HolyHoundz

HolyHoundz

  • 600 Points 500 badge 2x thumb
Nexus 5 been infected causes chrome browser popups randomly no fix yet.... Did full factory install latest still got infected again by fb links photos viewed...
Photo of Paul Deschamps

Paul Deschamps, Mobile Master

  • 203,372 Points 100k badge 2x thumb
That has nothing to do with the stagefright vulnerability that's something totally different. Make sure you update your Web view through google play every month and you should have no issues with your browser.
Photo of HolyHoundz

HolyHoundz

  • 600 Points 500 badge 2x thumb
Mines always updated to latest I keep it ahead but doesn't help when no updated come
Photo of HolyHoundz

HolyHoundz

  • 600 Points 500 badge 2x thumb
seems chrome/android still infected with popup viruses even did full wipe firmware reinstall was clean latest and updates got virus again no virus found with every test but i no its there wouldnt get popups when come out standby if it wasnt gone..
Photo of Doug Newton

Doug Newton

  • 70 Points
A very public, very dangerous exploit has been found and fixed Google for nexus devices and it took at least 2 days longer then anyone else with a nexus devices to get the fix. Why? There aren't any built in Koodo apps on a nexus. STOP MEDDLING WITH NEXUS AND GIVE UPDATE CONTROL TO GOOGLE
Photo of Charlie_Brown

Charlie_Brown

  • 394 Points 250 badge 2x thumb
Aug 5 - Google announced regular OTA updates each month; factory images posted later that day
Aug 10 - Links for OTA updates posted by Android Police
Aug 11 - I received the update in the afternoon
Photo of Charlie_Brown

Charlie_Brown

  • 394 Points 250 badge 2x thumb
Regarding LG:

“LG will be providing security updates on a monthly basis which carriers will then be able to make available to customers immediately. We believe these important steps will demonstrate to LG customers that security is our highest priority,” an LG representative told WIRED today in an email.
Photo of Veronica Hunt

Veronica Hunt

  • 90 Points 75 badge 2x thumb
Thanks
Photo of Tanya Lynn Squires

Tanya Lynn Squires

  • 80 Points 75 badge 2x thumb
What if you don't have msm
Photo of Paul Wilkinson

Paul Wilkinson

  • 110 Points 100 badge 2x thumb
Are there patches for samsung galaxy s4? Only been waiting 3 months now!,,,
Photo of Reb

Reb

  • 266 Points 250 badge 2x thumb
What about HTC one m8?
Photo of Timo Tuokkola

Timo Tuokkola, Mobile Master

  • 142,326 Points 100k badge 2x thumb
Just to add, Motorola says it'll start submitting the updated software to carriers for testing on Aug. 10. Here's the full list for updates:

Moto X Style (patched from launch)
Moto X Play (patched from launch)
Moto X (1st Gen, 2nd Gen)
Moto X Pro
Moto Maxx/Turbo
Moto G (1st Gen, 2nd Gen, 3rd Gen)
Moto G with 4G LTE (1st Gen, 2nd Gen)
Moto E (1st Gen, 2nd Gen)
Moto E with 4G LTE (2nd Gen)
DROID Turbo
DROID Ultra/Mini/Maxx

Source: Motorola
Photo of Mike Halford

Mike Halford

  • 170 Points 100 badge 2x thumb
Can I still receive messages on my samsung galaxy ace if I disable auto-retrieve?       
Photo of Paul Deschamps

Paul Deschamps, Mobile Master

  • 202,276 Points 100k badge 2x thumb
You won't automatically retrieve multimedia messages and will be prompted to press a download icon to actually download those messages, regular text messages will still come through automatically.
Photo of Mike Halford

Mike Halford

  • 170 Points 100 badge 2x thumb
Thanks Paul...Mike
Photo of Mike Sheehan

Mike Sheehan

  • 1,710 Points 1k badge 2x thumb

I have a Moto G, which I bought in April of 2015.  How do I find out which version it is?

Has anyone got the Stagefright patch from Motorola yet?

I think I got the MMS AUTO RETRIEVE disabled.

Photo of Gavin Rideout

Gavin Rideout

  • 130 Points 100 badge 2x thumb
Has anyone gotten the update on the Nexus 5?
Photo of rikkster

rikkster, Mobile Master

  • 68,186 Points 50k badge 2x thumb
You're welcome, Barbara. I checked out oodo.com and it's listed as a domain name for sale. The safe search filter I'm using isn't reporting anything negative for that site. Still, I'll mention it to the higher ups and see what they have to say.
Photo of Barbara

Barbara

  • 114 Points 100 badge 2x thumb

Thank you very much for looking into it rikkster!


Photo of fotojack

fotojack

  • 106 Points 100 badge 2x thumb
This only applies to those with a data plan, correct?
Photo of rikkster

rikkster, Mobile Master

  • 68,186 Points 50k badge 2x thumb
No, the Stagefright vulnerability affects almost all Android devices because of a software flaw that resides deep within the Android operating system and dates back to devices running Android versions 2.2 and above. However, devices running Android versions 4.0 and above have an added layer of security built-in that helps to prevent such an attack. Still, many reports suggest that a direct patch is needed to address this vulnerability and others that may arise.

http://www.androidcentral.com/stagefr...
Photo of David Braganza

David Braganza

  • 94 Points 75 badge 2x thumb
Its almost the end of August and no update for the G3 apart from some PR statement from LG?
Photo of Billy Bob

Billy Bob

  • 320 Points 250 badge 2x thumb
Is the patch for Samsung Galaxy S5 out yet? The target release date is August 7 but I have not seen the update yet. I have been doing "Settings > About Device > Software Update > Update Now" for the past few days and there is nothing to update. My Samsung Galaxy S5 is on Android 5.0.

Is there a build no or version number in the "About Device" that I can check to find out if I have the receive the Stagefright patch?
Photo of rikkster

rikkster, Mobile Master

  • 68,186 Points 50k badge 2x thumb
You're welcome Billy. Paul mentions in his first post that the update was 291 MB, so that sounds about right.
Photo of Susan Reid

Susan Reid

  • 62 Points
I have an s3 and a data plan but I don't use Google hangout-does that mean I'm safe?
Photo of rikkster

rikkster, Mobile Master

  • 68,186 Points 50k badge 2x thumb
If a would-be hacker wanted to compromise your S3, the easiest method is to send a specially coded MMS/picture message to the recipient. Whether you use Hangouts or Androids' default messaging app makes no difference. Turning off auto-retrieve MMS messages and not opening MMS messages from unknown people is your best defence until the patch is made available for your device.

If you need to turn Auto-retrieve off for MMS, scroll down this page and look for my post with the picture and instructions on how to disable this feature.

It's also worth noting that this vulnerability has been around for close to five years and there have been no reports of this vulnerability being exploited. Also, devices with Android versions 4.0 and higher have an added layer of security to help prevent such an attack from happening.

http://www.androidcentral.com/stagefr...
(Edited)
Photo of HolyHoundz

HolyHoundz

  • 600 Points 500 badge 2x thumb
Well its being hit now alot pages have been effected now Facebook has lots of photos being shared that effect Google chrome causes random popups of virus sites ... No fix yet for nexus 5
Photo of rikkster

rikkster, Mobile Master

  • 68,186 Points 50k badge 2x thumb
I'm assuming you have the latest version of Chrome. If not, the most current for PC's is version 45.0.2454.85 m. Go to: Help and about > About Google Chrome. For mobile devices, Chrome version 45.0. 2454.84 running Android version 5.1.

http://googlechromereleases.blogspot....
(Edited)
Photo of Ryder Bergerud

Ryder Bergerud

  • 120 Points 100 badge 2x thumb
What about Android 2.3?  I can't find any options to disable automatic download of MMS.
Photo of rikkster

rikkster, Mobile Master

  • 68,186 Points 50k badge 2x thumb
You're welcome!
Photo of BMW

BMW

  • 72 Points
O boy I wish I was has good has you. I have a nexus but cannot find the patch can you help.me.:))
Photo of rikkster

rikkster, Mobile Master

  • 68,186 Points 50k badge 2x thumb
That will depend on whether or not the patch is available for your device. It will probably take time for the update to reach your device. To check, go to: Settings > About Phone/Device > Software updates. If the phone automatically checks for system updates, you will receive notification of the impending update. In the meantime, be sure to turn off Auto-retrieve MMS messages in whichever messaging app you use, (Hangouts or Androids' default messaging app).
Photo of jbriseno2

jbriseno2

  • 60 Points
My device says there is insufficient space to download the patch. It requires at least 75 MB. I have 4.4GB available.
Photo of rikkster

rikkster, Mobile Master

  • 68,186 Points 50k badge 2x thumb
Are you looking at internal or external storage on your phone? (e.g. microSD card). Which phone do you have? The patch gets downloaded/installed to internal storage. The Android OS will prompt the user if there's insufficient internal storage space.
Photo of Melissa

Melissa

  • 110 Points 100 badge 2x thumb
I have disabled the automatic receive of MMS messages. But when will there be an update for a Galaxy Ace 2? I don't see that listed with the other models
Photo of Melissa

Melissa

  • 110 Points 100 badge 2x thumb
Yeah it says there are no updates available.
Photo of Gavin Rideout

Gavin Rideout

  • 130 Points 100 badge 2x thumb
Samsung is notorious for not keeping their phones up to date. There is nothing you can do at this point.
Photo of Melissa

Melissa

  • 110 Points 100 badge 2x thumb
Awesome... Well thank you for your help, at least I know now.
Photo of Gavin Rideout

Gavin Rideout

  • 130 Points 100 badge 2x thumb
No problem.
Photo of Paul Deschamps

Paul Deschamps, Mobile Master

  • 198,928 Points 100k badge 2x thumb
Are you kidding Gavin Samsung updates their phones for longer than any other company making Android devices in most cases and the only issues you may have with Samsung and updates is they take a couple more months than others companies but are usually first for patches such as this. This is of course their top end devices we're talking about such as the Galaxy S line and Galaxy Note line but if you buy their cheap devices then font expect much as far as updates like every other company but Motorola which is just as good for updates to their cheap devices as they are for their top of the line devices.
Photo of Sarah kurumi Grills

Sarah kurumi Grills

  • 100 Points 100 badge 2x thumb
I have nexus 4 is something wrong with Texting
Photo of Roy Leader

Roy Leader

  • 122 Points 100 badge 2x thumb
I have a Galaxy Ace II , I use the messaging icon , where do i find the sms
Photo of Melissa

Melissa

  • 110 Points 100 badge 2x thumb
To disable the feature they are talking about go into your messaging and then tap the button that lights up to the left of your "home" at the bottom of the phone. A little menu will pop up and you choose settings. Scroll down to Multimedia message (MMS) settings and you will see the 3rd option down as "Auto-retrieve", if it has a check mark in the box beside it uncheck it and if not you are good.
Photo of Roy Leader

Roy Leader

  • 122 Points 100 badge 2x thumb
ok ty melissa
Photo of Pirun Kar

Pirun Kar

  • 422 Points 250 badge 2x thumb
I have the Moto G (first gen), does anyone know when the estimated time before they release an update?
Photo of Timo Tuokkola

Timo Tuokkola, Mobile Master

  • 142,184 Points 100k badge 2x thumb
As I posted 2 days ago, Motorola says it'll start submitting the updated software to carriers for testing on Aug. 10. Here's the full list for updates:

Moto X Style (patched from launch)
Moto X Play (patched from launch)
Moto X (1st Gen, 2nd Gen)
Moto X Pro
Moto Maxx/Turbo
Moto G (1st Gen, 2nd Gen, 3rd Gen)
Moto G with 4G LTE (1st Gen, 2nd Gen)
Moto E (1st Gen, 2nd Gen)
Moto E with 4G LTE (2nd Gen)
DROID Turbo
DROID Ultra/Mini/Maxx

Source: Motorola
Photo of Pirun Kar

Pirun Kar

  • 422 Points 250 badge 2x thumb
Thanks
Photo of Pirun Kar

Pirun Kar

  • 422 Points 250 badge 2x thumb
This is a list from Telus on there software updates, If Motorola released them on Aug 10, Why isn't Telus working on the software?


First of all..... holy spelling errors in your article!!!!!
And second, thank you. :)
Photo of Joe Robinson

Joe Robinson

  • 90 Points 75 badge 2x thumb
I don't see much talk about the older Samsung products. Will the Samsung Galaxy S3 require and update against "Stagefright"? Model SGH-I747M Android Version 4.4.2 Build KOT49H.I747MVLUFOB1.  In the meantime, autodownload of MMS disabled.

Thanks in advance.
Photo of Gavin Rideout

Gavin Rideout

  • 130 Points 100 badge 2x thumb
If you can't get lollipop you probably won't get the patch.
Photo of Joe Robinson

Joe Robinson

  • 90 Points 75 badge 2x thumb
Will that leave me vulnerable?
Photo of Gavin Rideout

Gavin Rideout

  • 130 Points 100 badge 2x thumb
Yes. To that security flaw and others.
Photo of frananddave

frananddave

  • 992 Points 500 badge 2x thumb
I agree. I have a wonderful Note 2.
Photo of Joanne Kitras

Joanne Kitras

  • 60 Points
So there is NO updates/patches for the S3????
Photo of Louise Power

Louise Power

  • 60 Points
How do I get the update for my phone?  It's an S5
Photo of Gavin Rideout

Gavin Rideout

  • 130 Points 100 badge 2x thumb
Samsung will push the update out to you at some point. Go to settings > about phone > system updates to check.
Photo of Ahmad

Ahmad

  • 96,102 Points 50k badge 2x thumb
This is why I have an iPhone :)
Photo of rikkster

rikkster, Mobile Master

  • 68,186 Points 50k badge 2x thumb
Apple just keeps a lid on things.

https://support.apple.com/en-ca/HT201222
Photo of Milena Harbinja

Milena Harbinja

  • 60 Points
Does disabling "Auto Retrieve" means I will not be receiving any messages?
Photo of Paul Deschamps

Paul Deschamps, Mobile Master

  • 202,276 Points 100k badge 2x thumb
You won't automatically retrieve multimedia messages and will be prompted to press a download icon to actually download those messages, regular text messages will still come through automatically.
Photo of Barbara

Barbara

  • 114 Points 100 badge 2x thumb
Just in case my comment responding to Nathan above doesn't get noticed (it is in Gavin's thread) - about a text message looking like it is coming from koodo, telling you to follow the link to protect yourself from stagefright - DON'T FOLLOW THE LINK.  I didn't realize until it was to late that the "k" in koodo isn't part of the link so it takes you to oodo.com 
Photo of Ciara

Ciara

  • 60 Points
I got a text and clicked the link, but the k in koodo was part of the link and it took me to this site. Should I be worried? Haha
Photo of Steve

Steve

  • 4,030 Points 4k badge 2x thumb
The current patch (still being pushed and distributed) apparently does NOT fix the issue. So if you think your phone has been patched, you may have to think again.
https://blog.exodusintel.com/2015/08/13/stagefright-mission-accomplished/

The public at large believes the current patch protects them when it in fact does not. Google is still currently distributing the faulty patch to Android devices via OTA updates. Google has not given any indication of a timeline for correcting the faulty patch.
(Edited)
Photo of Koodo Mobile

Koodo Mobile, Employee

  • 1,912 Points 1k badge 2x thumb

Here is an updated list of Koodo devices and their status:

  • Alcatel - Idol 3 - August 27th
  • Alcatel - Pop Icon - September 3rd
  • Alcatel - Idol X+ - September 3rd
  • HTC - One M8 - August 17th
  • HTC - One M9 - August 14th
  • HTC - Desire 320a - August 24th
  • LG - Nexus 4 - Completed
  • LG - Nexus 5 - Completed
  • Motorola - Moto E - September 4th
  • Motorola - Moto G - August 24th
  • Motorola - Moto X - September 4th
  • Samsung - Galaxy S5 - August 11th
  • Samsung - Galaxy Grand Prime - August 21st
  • Samsung - Galaxy S6 - Completed
  • Samsung - Galaxy S6 Edge - Completed
  • Samsung - Galaxy S4 - August 28th
  • Samsung - Galaxy Note 4 - August 11th
  • Samsung - Galaxy Core - September 4th
It is always a good idea to keep your phone’s operating system updated and continue installing any available security patches provided by your phone’s manufacturer as they become available.
Photo of Spence

Spence

  • 8,354 Points 5k badge 2x thumb
I keep checking almost everyday, nothing yet.
Photo of Brendan William

Brendan William

  • 732 Points 500 badge 2x thumb
It is now September 6th and no update on the Moto E LTE 2015. It says September 4th.
Photo of Brendan William

Brendan William

  • 732 Points 500 badge 2x thumb
It is now the 8th and no update...
Photo of Spence

Spence

  • 8,354 Points 5k badge 2x thumb
Hey Paul, do you know if you need a SD card in the idol 3 to get the update??
Photo of Brendan William

Brendan William

  • 732 Points 500 badge 2x thumb
Now the 11th and no update
Photo of JohnC

JohnC

  • 1,724 Points 1k badge 2x thumb
When is the S3 getting patched?
Photo of Will

Will

  • 80 Points 75 badge 2x thumb
Text msg from 514-3 saying " important message from koodo: your mobile security is important to us. That's why we want to alert you to stagefright..... " Are these messages being sent by Koodo?
Photo of fotojack

fotojack

  • 106 Points 100 badge 2x thumb
Will...yes they are. I got the same message on my S3. I'm reading this on my home PC, not my phone, though.
Photo of Julie Thauvette

Julie Thauvette

  • 60 Points
Hi, I have the galaxy s3, how can I fix this, I have no idea since I don't know much about my phone, actually, I know nothing.
Photo of Paul Deschamps

Paul Deschamps, Mobile Master

  • 171,222 Points 100k badge 2x thumb
Go into your text messaging app and then settings within that app.
Then find auto retrieve mms and disable it.
Now you will have to tap on download when you recieve a picture or video message (mms) to recieve it. *Now don't tap on and download any MMS from anyone but trusted sources that you know who they are *
Eventually Samsung should send you a patch to fix this but his is how to protect yourself until that patch arrives through a software update.
Photo of Charlie_Brown

Charlie_Brown

  • 394 Points 250 badge 2x thumb
On Sept. 9, Google has released the second update since the monthly patch announcement in August.  The AOSP and Nexus patch build is LMY48M. 

Details of the patch are here: 

https://groups.google.com/forum/#!search/LMY48M/android-security-updates/1M7qbSvACjo/Y7jewiW1AwAJ

There is one statement near the bottom of the bulletin:  "This issue is related to the already reported CVE-2015-3824 (ANDROID-20923261) [comment:  this is the first August StageFright patch].  The original security update was not sufficient to address a variant of this originally reported issue."  

I received the LMY48M patch last night on my Nexus 5.
Photo of cetaylor

cetaylor

  • 110 Points 100 badge 2x thumb
AT&T and Sprint started pushing their Galaxy S3 Stagefright patches two weeks ago.

AT&T: http://www.att.com/esupport/article.j...

Sprint: http://support.sprint.com/support/art...

Koodo uses the same model and baseband as AT&T ... why is there a significant delay in our S3 Stagefright patch?
Photo of Sue Marie

Sue Marie

  • 154 Points 100 badge 2x thumb
The update was in the back of my mind since getting notified by Koodo in August. I just saw Friday's Crime Watch Daily and StageFright was explained in a segment. Scarier than I thought so I came here for answers. I don't see any for my Samsung Galaxy S3.
Photo of Spence

Spence

  • 8,354 Points 5k badge 2x thumb
Finally got the update for my Alcatel idol 3 today,  :)
Hopefully it included the stagefright patch.

This conversation is no longer open for comments or replies.