Date: 08/13/2015
From: Richard Stovall (IT/Development)
To: Android Phone Users
Subject: Urgent Android Smartphone Security Issue
You may have recently heard about a flaw in Google’s Android operating system that could allow attackers to install malicious software on up to 95% of the world’s smartphones.
This is a very serious issue, and one that you should take immediate steps to mitigate if you or your family have any Android phones. For a good recap of the issue, read this NPR article.
To summarize, a vulnerability has been discovered in Android that could allow anyone to compromise your phone by sending you a specially crafted MMS (multimedia text) message. You do not even have to open the message for the attack to be successful, that’s why it is so dangerous. Anyone could send a message to your phone number and exploit the vulnerability. It is not likely that you would be targeted specifically, but rather your phone number would be attacked as part of a large group of messages sent to millions of numbers. This makes it even more dangerous and in need of attention because you are not special in your unimportance or anonymity. If you can receive MMS messages, you are just as much a target as everyone else.
Google has released update code to fix the issue, but it is up to the individual manufacturers and carriers (Samsung, Motorola, HTC, LG, Verizon, ATT, etc.) to send them out to consumers. For those of you with phones older than a year or so, it is virtually certain that your phone will never be updated.
Regardless of the age or maker of your phone, we highly recommend that you take the step of disabling the automatic download of MMS messages. If you use Google Hangouts for text messages, this should be done in two different applications - Google Hangouts and the default Messaging app. If you do not use Hangouts for texting, you only need to disable the setting in the Messaging app.
Below are steps for disabling the automatic download of MMS messages on my phone, a Motorola device running Android 5. It may be somewhat different for yours depending on Android version.
---
Messaging
- Open the Messaging app.
- Tap the icon to expose the menu with the Settings option. On my phone it is the three vertical dots in the upper right corner of the screen.
- Tap Settings
- Scroll down to the option for “Auto-retrieve - Automatically retrieve messages” and ensure that it is unchecked.
---
Google Hangouts
- Open the Hangouts app.
- Tap the icon to expose the menu with the Settings option. On my phone it is the stacked line “hamburger” icon in the upper left of the screen.
- Tap Settings
- Tap SMS
- If SMS is disabled, there’s nothing more to do.
- If SMS is enabled, scroll down to the Advanced section and uncheck the option for “Auto retrieve MMS- Automatically retrieve MMS messages.”
- Also uncheck the option for “Roaming auto-retrieve.”
The effect of disabling automatic download of MMS messages will be that when you receive a message of this type, you will have to manually take the step of downloading the content. Your phone will notify you of the incoming message and you will be prompted to download the content.
The same rules that you use for opening e-mail attachments now apply to MMS messages on your phone. If the message is from someone you don’t know, delete the thread immediately. If the message is from someone you know, but you aren’t expecting anything from them, either contact them first to ensure it’s safe or delete it. Until your phone is updated (which most never will be), simply downloading a malicious message could infect your phone with software that could steal your personal information and passwords, and serve as a launching pad for attacks against others. Think about how this might work. Someone you know is successfully attacked and their phone serves as a launching pad to send attacks to everyone in their address book. You receive what appears to be an innocent message from a friend and you are compromised. Now your phone serves as a distribution point and spreads the attack to everyone in YOUR address book. It doesn’t take long in a nightmare scenario like this for thousands of people to become victims.
The devices that enrich our lives with magical apps and endless communication are also very powerful computers that have to be maintained and replaced on a schedule. When updates come out for your phone, install them. Until then, we strongly suggest you take the steps above to minimize your chance of being vulnerable to this extremely dangerous flaw in Android.
Also, for iPhone and other device users, the general guidance holds true for you as well. Install updates as soon as you can. When your device is no longer supported, replace it. Every platform sees issues like this. It’s just amplified for Android because most of the devices out there run it.