Android Vulnerability Renews BYOD Concerns for Employers

By Daniel L. Farris

Earlier today, researchers at Zimperium Mobile Security released information about a new vulnerability in the Android mobile operating system, dubbed “Stagefright.”  Approximately 80% of all smartphones run on Android, making it the most popular mobile OS on earth. 

Deemed the “Mother of all Android Vulnerabilities,” Stagefright may affect 95% of the more than 1 billion Android devices on the market.  The vulnerability allows hackers to access a target phone, and potentially take it over, with only a phone number.  A user will not have to “goof up” for Stagefright to work.  Instead, the malicious code begins to work the moment an Android device receives a text. 

NPR describes Stagefright’s operation as follows:  

The bad guy creates a short video, hides the malware inside it and texts it to your number. As soon as it's received by the phone, Drake says, "it does its initial processing, which triggers the vulnerability."

The messaging app Hangouts instantly processes videos, to keep them ready in the phone's gallery. That way the user doesn't have to waste time looking. But, Drake says, this setup invites the malware right in.

Once a hacker gets in, he could potentially do anything – copy data, delete it, or take over your microphone and camera to monitor your every word and move. 

Fixing the problem could also take time.  Google – who makes Android – is ultimately not to blame.  Google provides its latest version of Android to phone manufacturers, who may then modify Android as they wish.  The manufacturers sell phones to/through carriers, and the carriers often make further modifications to Android.  Google has responded quickly to the vulnerability, and has already provided patches to its partners, which can be applied to any device.  How quickly those will work through manufacturers’ and carriers’ systems is another question.  Recent statistics show that only about 12% of phones operating Android are fully patched and up-to-date.

Stagefright, as well as other similar vulnerabilities, should remind and renew privacy and data security considerations surrounding BYOD programs.  BYOD programs have long presented employers with a dilemma:  “there is an obvious need to protect corporate data (indeed, if such data includes any personal information, then they are legally bound to protect it by data privacy legislation), but implementing the minimum security measures may also violate employees’ right to privacy.” 

Any good BYOD policy should include device security management.  Best practice includes encrypting data and documents on users’ phones and tablets, as well as the ability to potentially wipe devices remotely.  Some forward-thinking companies have begun to use geo-fencing as part of a security policy, including, for example, disabling cameras on mobile devices when they are in secure areas.  That said, there are low cost options that can significantly lower your organizational risk.  Understanding both the legal and technical options and implications of your policy is key. 

For assistance in drafting, implementing, or refining your own BYOD Policies, please contact the author or a Polsinelli Privacy and Data Security team member.