[Faccus] Stagefright bug: Statement from Information Security Services

Natasha Jennings njennings at uwaterloo.ca
Thu Jul 30 12:15:51 EDT 2015

A message from IST's Information Security Services (ISS) group

Stagefright bug makes Android devices vulnerable to remote access, and all that's needed is your mobile number.

According to news reports published earlier this week, IT security experts have identified a vulnerability in Android's operating system that allows someone to access your device, including all apps, content, and even your camera, using only your mobile number. The worst part? The owner of the compromised device won't even know that it's happened.

What is Stagefright?

Stagefright is being described as "a benign piece of software code that governs how some mobile devices receive and process certain media files." An unknown user could exploit the vulnerability identified in this code to send a "specially crafted media file" to a device for which they know the number. The device owner may see a notification of a new message pop-up on their screen, but otherwise, everything else looks normal.

This is what makes Stagefright so scary. Unlike other phishing or suspicious email circulating around campus that require the user to open a file or click on a link to run the malicious software, Stagefright requires no action on behalf of the targeted device owner.

I'm an Android user - what should I do?

Android devices after and including version 2.2 are vulnerable. And while Google has pushed a patch to its partners for Nexus devices, manufacturers of other Android-powered devices have yet to follow suit. In the meantime, Android users can follow the below steps to protect themselves.

Recommended action

  1.  Turn off auto-downloading of MMS/SMS messages
  2.  Block messaging from unknown contacts
  3.  Contact your device manufacturer and/or Internet Service Provider (ISP) for patch availability inquiries, etc.

Additional communications will be shared when more information is available.

Additional resources:

  *   http://blog.zimperium.com/experts-found-a-unicorn-in-the-heart-of-android/
  *   http://www.cbc.ca/news/business/stagefright-bug-makes-nearly-1-billion-android-phones-vulnerable-zimperium-says-1.3171108

Recipients of this message: sec-wg, ist-staff, isthd, faccus, admin-support, UWweb, ctsc, ucist

Natasha Jennings
Communications Officer
Information Systems & Technology (IST)
University of Waterloo
519-888-4567 ext. 47951

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.uwaterloo.ca/pipermail/faccus/attachments/20150730/cf8b861a/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 5807 bytes
Desc: image001.png
URL: <http://lists.uwaterloo.ca/pipermail/faccus/attachments/20150730/cf8b861a/attachment.png>

More information about the Faccus mailing list