Mobility

Trusted answers and information and Mobility devices, services, and solutions from Neighbourhood contributors and the TELUS team.

Android's StageFright Vulnerability

Community Manager
  • Contributors:

What is StageFright

 

A mobile security researcher recently uncovered a vulnerability in the Android operating system which can open it up to exploitation.

This vulnerability can be triggered without any user interaction whatsoever or simply by opening a Multimedia Messaging Service (MMS) text causing the device to become compromised.

 

*Update March 3rd, 2016*

 

TELUS is aware of the new StageFright-based Metaphor exploit which has recently surfaced. "Metaphor" allows hackers to inject malware that can copy, steal and delete data on the device. Further, this exploit can take over the device's microphone and camera and even track a user's movement via GPS.

 

The good news is that any device launched after October 1st, 2015 should have the necessary CVE patch built into the Android operating system to protect you regardless of software version.

 

Much like its predecessor, StageFright, it is always a good idea to ensure your device as the latest possible updates downloaded.

To check on your Android security patch version, tap on: Settings > About Phone. 

 

metaphor.png

 

How to protect yourself


Minimize risk associated with an MMS by:

 

  • Launching your native text messaging application
  • Tapping on settings and look for the “Multimedia Messaging service”(MMS) heading
  • Disable "Auto-retrieve" (or Auto-fetch) MMS by removing the check mark

 

Rest assured that by disabling "auto-retrieve MMS," you're not also disabling the ability to receive them. You can still download MMS on a per message basis from your most trusted contacts and sources.

 

App

 

Steps

Google Hangouts

      

1.     Navigate to Account > Settings > SMS

2.     Uncheck Auto retrieve MMS

 

 

 

Google Messenger

 

1.     Tap the three dots in the top right corner of the screen

2.     Navigate to Settings > Advanced

3.     Uncheck Auto retrieve

 

 

 

Samsung SMS

 

1.     In the Messages app, navigate to More > Settings > More Settings > Multimedia messages

2.     Uncheck Auto retrieve

 

 

 

LG SMS

 

1.     In the Messages app, tap the three dots in the top right corner of the screen

2.     Navigate to Settings > Multimedia messages

3.     Uncheck Auto-retrieve

 

 

 

HTC SMS

 

1.     In the Messages app, tap the three dots in the top right corner of the screen

2.     Navigate to Settings > Multimedia messages (MMS)

3.     Uncheck Auto-retrieve

 

What TELUS is doing to  help protect our Customers

 

Protecting our customer’s information is our top priority. TELUS has engaged Google and device manufacturers to ensure we are on top of any developments.

 

It is always a good idea to keep your phone’s operating system updated and continue installing any available security patches provided by your phone’s manufacturer as they become available. 

Manufacturers will continue patching this vulnerability and we will make it our priority to test and push out updates as they are made available to us. We should note that some devices may not be supported by the OEM.

 

Here is a list of devices with planned updates at this time:

 

OEM   Model   Target Release
         
Alcatel   Idol 3   Completed
Alcatel   Pop Icon   Completed
Alcatel   Idol X+   Completed
Alcatel   Pop 8    Completed
Alcatel   Pop 8 S LTE   Completed

HTC

  One M7   Completed
HTC   One M8   Completed

HTC

     

One M9   Completed

HTC

  Desire 320a   Completed

HTC

  Desire 510   Completed

HTC

  Desire 601   Completed

Huawei

  Ascend (Y330)   Completed

Kyocera

  Duraforce   Completed
LG   G2   Completed
LG   G3   Completed
LG   G4   Completed
LG   Nexus 4   Completed
LG   Nexus 5   Completed
Motorola   Nexus 6   Completed
Motorola   Moto E   Completed
Motorola   Moto G (1st Gen)   Completed
Motorola   Moto G (3rd Gen)   Completed
Motorola   Moto X    Completed
Motorola   Moto X Play   Completed
Samsung   Galaxy Alpha   Completed
Samsung   Galaxy Grand Prime   Completed
Samsung   Galaxy S5   Completed

Samsung

  Galaxy S5 Active   Completed
Samsung   Galaxy Grand Prime   Completed
Samsung   Galaxy S6   Completed
Samsung   Galaxy S6 Edge   Completed
Samsung   Galaxy S4   Completed
Samsung    Galaxy S4 Mini   Completed
Samsung    Galaxy S3   Completed
Samsung    Galaxy S3 Mini   Completed
Samsung   Galaxy Note 2   Completed
Samsung   Galaxy Note 3   Completed
Samsung   Galaxy Note 4   Completed
Samsung   Galaxy Note 8   Completed
Samsung   Galaxy Core   Completed
Samsung   Galaxy Tab S 8.4   Completed
Samsung   Galaxy Tab S 10.5   Completed
Sonim   XP6700 (XP6)   Completed
Sonim   XP7700 (XP7)   Completed
Sony   Zperia Z1   Completed
Sony   Xperia Z3   Completed


What if my device is not on the list 

 

We are working with our OEM partners to provide you with the most up-to-date information. Please keep an eye on this page - we will be updating the device list regularly.

 

Click here to learn more about our FAQ's.

 

Haven't registered for the Neighbourhood yet? Register here to stay on top of the latest news and topics.

 

Was this article helpful? Yes No
Comments
Lola
Leader

I have an S4, along with many others I know, and none of us received the patch yesterday, August 28th. When will it be sent? 

lesa_322
Just Moved In

I also have samsung galaxy 4 and did not receive patch for stagefright why??????

Lola
Leader

I see we can now expect the patch on Sept. 3. Sigh...

lesa_322
Just Moved In
What a joke this is,I even called them and they couldn't care less one way
or another
xray
Rockstar

OnePlus One is patched with release of CyanogenMod COS 12.1 

lesa_322
Just Moved In

What is one plus one xray

lesa_322
Just Moved In

One plus one ???

lesa_322
Just Moved In


lesa_322 


about a minute ago


Xray that one plus one ,what make of phone is that for I don't understand one plus one,please explain 


xray
Rockstar

"What is one plus one xray" - Two Smiley Happy

 

OnePlus is a phone manufacturer. They do not sell their phones through any retailer or carrier which is why it isn't on the list above. There are some TELUS customers like myself who use their phones.

lesa_322
Just Moved In
Thankyou for your reply, I have a samsung galaxy s4, and tried contacting
telus and ended up getting no where for over a hour of wasted time on phone
xray
Rockstar

@lisa_322, no need to contact TELUS support.

1) Follow the advice to disable "Auto-retrieve" (or Auto-fetch) MMS.

2) Don't open any MMS attachments from people/numbers you don't know.

3) Wait for patch to install when it is available.

4) Don't worry, be happy, enjoy life.

Lola
Leader

The patch is available now, Lesa. :-) I just did my phone. It's 233mb, which is good to know if you're using data and not wifi. It might suck the life out of your battery during install and optimization. My battery dropped 15% during the process. 

lesa_322
Just Moved In

Thanks lola but haven't received it as of yet hope I do receive it today,lesa

lesa_322
Just Moved In

Thanks lola just got patch and downloaded it thankyou for letting me know,lesa

lesa_322
Just Moved In

Lola :-),after your advice on battery I kept it charging while it downloaded and installed thankyou

Have a great long weekend,lesa

lesa_322
Just Moved In

Thankyou xrsy,  I did unchecked mms,as soon as warning was issued,

This morning I got the security patch for stagefright, which is now on my phone

I didn't worry am happy and enjoy life,but when I called telus they had me transfered to several different people and all of them had no answers and I was on phone with them over a hour with getting no where,and yes I was frustrated by their ignorant attitude with me that bothered me allot

ScottV
Just Moved In

Can we get an updated list? "Please keep an eye on this page - we will be updating the device list regularly."


I have an Alcatel Idol 3, which according to the list should have received the update August 31; however, I still have not received the update.

acastong
Just Moved In

Just received the update for the Motorola Moto E.  I thought the update would be Android 5.1 that has been available for a while from Motorola, but it is a fix on Android version 5.0.2.  Any idea if/when we might receive the official update to Android 5.1 for the Moto E (LTE 2nd gen - XT1527)?

Muskoka
Just Moved In

Don't do the latest Idol 3 update, it will break the speaker phone functionality. The person on the other end will get a horribly loud echo if you use the speaker phone. Was not a issue prior to the update!!! This "crap" should not be happening. Does nobody check these updates before issuing them to the public, very disappointing?

Hai_Karate
Just Moved In

The update for the Alcatel Idol X+ came out yesterday.  After the update was installed, the "Stagefright Detector" app from Google Play indicates that the phone still has at least one unpatched Stagefright vulnerability.  Some of the holes have been closed by the patch but not all.  Not good, Telus.

xray
Rockstar

"Some of the holes have been closed by the patch but not all. Not good, Telus."


@Hai_Karate, the patch comes from Alcatel not TELUS. You can't blame Canada Post if you don't like the mail you get.

Hai_Karate
Just Moved In

@xray: Perhaps you should read the section above entitled "What TELUS is doing to help protect our Customers". It implies that the patches that are rolling out are produced at least in part at the behest of Telus itself and also that those patches have been tested and vetted by Telus. To the best of my knowledge only iPhone and Nexus devices receive system software updates directly without those patches being tested by the carriers.

acastong
Just Moved In

I hear that Motorola does not plan to provide any update past 5.0 for carriers for the Moto E.  This is really bad as Motorola promised updates when it started promoting this phone.  If I had a 2014 Moto X that I bought just last year at a premium, I would be very mad just loke the many others that are very agry with this.


Since Telus is still selling Telus branded Moto E, I sure hope it will put pressure on Motorola to step up and provide both full security update for all Stagefright vulnerabilities and provide full system updates for the Telus version of the phone.

xray
Rockstar

@Hai_Karate, it is not the carrier's role to test every functional change to the OS. The carrier testing is focused on ensuring the device will connect to the network properly and is stable from a network perspective. It is unreasonable to expect the carriers test functionality beyond that since the scope would be vast considering the number of devices multiplied by the number of functions each device has. I refer you to this informative article for an explanation of the process followed by all carriers, not just TELUS.

http://forum.telus.com/blog/N_blog/53596/all/software-update-life-cycle

Hai_Karate
Just Moved In

@xray: You seem to be some sort of sad Internet know-it-all who is determined to be a White Knight and Defender of All Things Telus.  Whatever.  I hope you're getting paid to be here by Telus otherwise you need to do something else with your life.

lesa_322
Just Moved In
That is not looking good for telus or Motorola you would only think
manufactory and telus would work together make sure updates were issued but
to still sell the phones with knowing about this really shows poor
judgement on both sides
xray
Rockstar

"@xray: You seem to be some sort of sad Internet know-it-all who is determined to be a White Knight and Defender of All Things Telus.  Whatever.  I hope you're getting paid to be here by Telus otherwise you need to do something else with your life."

 

@Hai_Karate, Wow, where did that come from? I can see you didn't come to the Neighborhood for a neighborly discussion so I see no need to respond to any more of your posts. Have a good day.

Christophe
Just Moved In

Hello do you have any details of which version of android fix that issue.

According the CVE bulletin related to the StageFright Vulnerability (CVE-2015-1538, CVE-2015-1539, CVE-2015-3824, CVE-2015-3826, CVE-2015-3827, CVE-2015-3828, CVE-2015-3829) android version where they issue are fixed is on version : 5.1.1 LMY48I or higher.

The last android update i received on my telus samsung galaxy S4 is 5.0.1, compiled the 24 august.

So my question is : could give us the release note where is specify the CVE bellow are fixed and back ported to the 5.0.1.

My other question is what about other CVE are released after the announcement of StageFright Vulnerability (CVE-2015-3868,CVE-2015-3869,CVE-2015-3870,CVE-2015-3871,CVE-2015-3872,CVE-2015-3873,CVE-2015-3874,CVE-2015-3875,CVE-2015-3877,CVE-2015-3879,CVE-2015-6596,CVE-2015-6598,CVE-2015-6599,CVE-2015-6600,CVE-2015-6601,CVE-2015-6603,CVE-2015-6604,CVE-2015-6606,CVE-2015-7716,CVE-2015-7717)

lesa_322
Just Moved In
Sorry I know the same as you,if you find out more please let me know
Lesa