SIGNALS

Everyone is familiar with virus attacks on PCs and Macs. We take precautions to minimize the risk - making sure the firewall is up, keeping our antivirus software up to date, and not clicking on scary attachments. We are perhaps less vigilant with virus attacks on our phones. Of course, the danger is just as scary. Adding even more anxiety is a new virus called Stagefright that can be embedded in MP3 and MP4 files.

Stagefright and various mutations first appeared in the Spring and Summer. The first version used MMS and text to infect users. The newest version of the bug, just recently appearing, uses MP3 audio and MP4 video files as its host. It is dubbed Stagefright 2.0, and dodges existing patches for the earlier versions. (The name "Stagefright" comes from the Android media engine of the same name that contains the vulnerability.)

What is Stagefright 2.0 and how does it spread? It is a virus that exploits vulnerabilities in Android's multimedia function. The bug is placed in MP3 audio or MP4 video files; when you preview or play the infected file the bug is immediately activated and infects your device. In some cases, Android may automatically start playing a preview, and thus infect your phone. The most likely entry point is via a Web browser. Hackers can place the infected file on your phone by duping you into visiting a URL that is controlled by the hacker. Alternatively the attacker could use third-party apps to automatically install and possibly play the infected media file. As another alternative, the bug can also be spread on a public (unencrypted) WiFi network if the hacker uses traffic interception techniques (MITM); this is said to be the least likely method of attack.

Virtually all Android versions use the targeted multimedia feature, thus potentially over one billion Android devices are vulnerable. Once a device is infected, hackers can access your private data as well as any part of your phone. They could even access your phone's camera and microphone. It is not yet clear how prevalent the virus is.

And the remedy? Google's Android Security Team has already written a patch for the first version of Stagefright, and it is included in the Android 6.0 Marshmallow update. A patch for the newer version is apparently being studied. Newer devices will be protected through normal upgrades but it may take months or years to accomplish that. Even worse, historically, older devices are not supported and thus may never receive the fix.

So, what should you do? You should apply the same common sense you use with your PC and Mac. Only download apps from Google Play or Amazon App Store; avoid other app stores and do not download from untrusted sources. Look carefully at web sites you visit and don't click on links in emails and text messages from people you don't know. To find out if you are infected with the earlier version, you can download the Stagefright Detector app from Zimperium Labs; however, currently this app cannot test for the newest version of Stagefright.

Once upon a time, you played music by putting the needle in the groove, and watched video by putting a cartridge in a component that was perpetually flashing "12:00." Now, it's not so easy.