SingCert: Beware of major Android flaw that could lock users out of smartphones

Users of Google Nexus devices are advised to download a security program from Google onto their phones as soon as it is available.
Users of Google Nexus devices are advised to download a security program from Google onto their phones as soon as it is available.PHOTO: AFP

SINGAPORE - The authorities have put up a security advisory online warning Google Android smartphone and tablet users to be wary of downloading media files sent via MMS, or multimedia messages.

A major Android operating system flaw allows hackers to take control of users' smartphones simply by sending an MMS, said the Singapore Computer Emergency Response Team (SingCert), a unit of Singapore's newly set up Cyber Security Agency.

The weakness, which was first discovered in April this year, resides in "Stagefright", a media playback tool in Android. Once the infected media file is downloaded on a device, it allows a hacker to access private data in it.

Users of Google Nexus devices are advised to download a security program from Google onto their phones as soon as it is available. Other Android phone users are advised to check with their respective manufacturers for the availability of the security software.

"As an interim protective measure, users should exercise caution and not download media files sent via MMS and should deactivate the auto retrieval feature for MMS," said SingCert.

On its Facebook page, telco M1 also urged Android smartphone users to block messages from unknown senders. "Google has issued an update to resolve this, and this will in due course be available as a software update for your phone from your phone manufacturer. We would recommend that you update your phone when this is available," said the M1 Facebook post put up at 4pm on Thursday.

When contacted, a Google spokesman said: "This vulnerability was identified in a laboratory setting on older Android devices, and as far as we know, no one has been affected. As soon as we were made aware of the vulnerability we took immediate action and sent a fix to our partners to protect users."

itham@sph.com.sg