Please see the below announcement from ANL Cybersecurity. As noted, it’s recommended you disable automatic MMS retrieval on your device if you use Android. Depending on your MMS application, the instructions for doing this may vary. I’ve included instructions for two Google messaging apps. Check the settings in your SMS/MMS app if it’s not one of these.
For “Messenger” from Google (https://play.google.com/store/apps/details?id=com.google.android.apps.messaging&hl=en): Click the “overflow menu” (three dots, top right corner), choose “Settings”, choose “Advanced”. Under “MMS” uncheck “Auto-retrieve”.
For “Hangouts” from Google (https://play.google.com/store/apps/details?id=com.google.android.talk&hl=en): Click the “Hamburger menu” (three horizontal lines, top left corner), choose “Settings”, choose “SMS”. If SMS is enabled, scroll to Advanced and uncheck “Auto retrieve MMS”.
Dear IT Admins:
A vulnerability has been discovered that can affect Android versions 2.2 through 5.1, about 95% of all Android devices in use. It is located within the Stagefright media library, which is used to render Multimedia Message Service (MMS) content, such as images or videos. By default, most Android devices automatically retrieve MMS messages. Thus, an attacker can perform malicious acts (enable microphone, copy files, turn on camera, etc.) without any action on the part of the recipient. This vulnerability can also be exploited through other means, such as visiting malicious websites.
Google has created patches to address this vulnerability, and most Android devices receive updates through phone manufacturers and cell service providers (Samsung, HTC, ATT, T-Mobile, etc.). When this security patch becomes available, please update your devices. In the meantime, you can reduce your exposure to this vulnerability by disabling auto-retrieval of MMS messages.
The Cyber Security Program Office recommends that all Laboratory employees take steps to protect the data on their mobile devices by practicing safe computing:
· Require a PIN to gain access to the device.
· Enable automatic updates to receive timely software patches.
· Install software from reputable sources.
· Be cautious of strange text and e-mail messages.
If you have any question about Stagefight or best mobile devices security practices, please contact the Cyber Security Program Office at firstname.lastname@example.org or ext. 2-3456.