StageFright – Android vulnerability

University Systems does not recommend or support the use of Android-based devices.  However, due to the seriousness of this vulnerability, we are providing the following information for the benefit of the campus community; for a list of recommended devices, please visit our Technology Solutions Centre.

A vulnerability has been discovered in the Android operating system that allows an attacker to access data stored on your device or remotely install software merely by having your mobile phone number. This is vulnerability is being referred to as “StageFright”. All Android based phones after and including versions 2.2 are vulnerable.

An attacker can use your mobile number to remotely execute code using a media file delivered via text message such as a picture or video message. You are especially vulnerable if you have your device configured to auto-download media in your messaging apps.

To prevent auto-downloading on your Android device, review the settings for your default SMS client.

  • Google Hangouts as default SMS:
    1. Open Google Hangouts
    2. Choose Settings
    3. Select SMS
    4. Scroll down and turn off Auto Retrieve MMS
  • Google Messenger as default SMS:
    1. Open Messenger App
    2. Go to right hand of application and select the three dots
    3. Choose Settings
    4. Choose Advanced
    5. Turn off Auto-retrieve
  • Other (using default messaging app):
    1. Go to Messages App
    2. Select More
    3. Select Settings
    4. Select Multimedia Messages
    5. Turn OFF Auto retrieve

This does not protect you from choosing to open or view unsolicited messages, webpages, links, etc. Safe surfing and texting habits still apply.

It is recommended that you contact your device manufacturer and cellular data provider to identify if and when a patch may be available for your individual device and operating system.  For more information about this vulnerability and the status of a patch for many Android vendors, please see the following National Cyber Awareness System Vulnerability Note:

http://www.kb.cert.org/vuls/id/924951

We will provide updates as more information is available. If you have any questions about this notice, please contact the Computer Help Desk at 250-721-7687 or helpdesk@uvic.ca.