Re: Show me the risk
So what is the real risk of bad things happening to the average Joe?
Impossible to estimate. Given the number of Android devices out there, I suppose it's not hugely likely that you'll get attacked randomly via MMS or any other relatively expensive vector. On the other hand, the Stagefright issues can be exploited via email and web, too, if you attempt to render multimedia content delivered over those media (or any other).
MMS is the traditional vector for discussions of Stagefright because many MMS clients default to auto-preview, which means they're vulnerable by default - no user action (or, at most, viewing the message) is required.
On the other hand, if any of you manage to piss off someone who's both knowledgeable and immoral...
Or do you have to root your handset, sideload software and visit dodgy sites before you get attacked?
No. All you have to do is attempt to render malicious media, which can arrive by any number of means. A standard Android device with a sufficiently old version of the OS is vulnerable out of the box.
If you have a phone configured to preview media in MMS messages without being unlocked (assuming that's possible - I know some clients can be configured to preview at least the text portion without being unlocked), it should be possible to take it over without even unlocking it.
Biting the hand that feeds IT
