HUGE vulnerability found in Android phones. (Stagefright)

OT: anything goes!

Moderator: Edi

Post Reply
User avatar
The Infidel
Jedi Master
Posts: 1283
Joined: 2009-05-07 01:32pm
Location: Norway

HUGE vulnerability found in Android phones. (Stagefright)

Post by The Infidel »

Huge vulnerability found. A specially crafted MMS can take control over your phone even though you don't open it. When control is taken, the attacker can delete his MMS and no trace of the attack can be found. Now, the attacker can do everything on your phone that you can, including taking control over camera and microphone. NB! There are at this date no known attacks, but I say better safe than sorry.

http://www.androidcentral.com/stagefrig ... -need-know
There's a scary-sounding story going around this morning about the "worst Android vulnerability in the mobile OS history!" (Exclamation point theirs, not ours.) The gist is that malware could be embedded in a video, which theoretically could be exploited without you doing a single thing. And, oh, just about every Android phone is vulnerable.

So should you worry? Let's discuss.

What is it?

Details are mostly being withheld publicly until the Black Hat conference next week in Las Vegas, but the gist is that malware theoretically could be embedded in a video file. And that video file could then be sent via MMS (text message) to your phone. The exploit comes into play with Google's (now regrettably named) "Stagefright" media playback engine, which was introduced in Android 2.2. And if you use a text messaging app that goes ahead and prepares that file for you for viewing — as Google Hangouts does, according to the example — your phone is potentially vulnerable, should a rogue video be processed.

Who found this exploit?

The exploit was announced July 21 by mobile security firm Zimperium as part of an announcement for its annual party at the BlackHat conference. Yes, you read that right. This "Mother of all Android Vulnerabilities," as Zimperium puts it, was announced July 21 (a week before anyone decided to care, apparently), and just a few words the even bigger bombshell of "On the evening of August 6th, Zimperium will rock the Vegas party scene!" And you know it's going to be a rager because it's "our annual Vegas party for our favorite ninjas," completely with a rockin' hashtag and everything.


So, ya know, it's serious. Or something.

How widespread is this exploit?

The short answer is we don't really know. Any exploit that potentially affects any device back to Android 2.2 is absolutely no bueno. The Stagefright media engine is deep down in the Android OS. You don't want to see anything exploiting it. Zimperium apparently alerted Google in April and May, proposed patches, and Google accepted them. What we don't know is whether the fix has been pushed to to Google's phones (the Nexus line), or if any manufacturers have pushed out the fix on their end. (We wouldn't put money on it, though.)

The good news is that the researcher who discovered this flaw in Stagefright "does not believe that hackers out in the wild are exploiting it." So it's a very bad thing that apparently nobody's actually using against anyone, at least according to this one person.

So should I worry or not?

Make no mistake about it: This is a bad exploit. And it further highlights the difficulties of getting updates pushed out through the manufacturer and carrier ecosystem. On the other hand, it's a potential avenue for exploit that apparently has been around since Android 2.2 — or basically the past five years. That either makes you a ticking time bomb, or a benign cyst, depending on your point of view.

And for its part, Google told Android Central that there are multiple mechanisms in place to protect users.


We thank Joshua Drake for his contributions. The security of Android users is extremely important to us and so we responded quickly and patches have already been provided to partners that can be applied to any device.

Most Android devices, including all newer devices, have multiple technologies that are designed to make exploitation more difficult. Android devices also include an application sandbox designed to protect user data and other applications on the device.

This is an exploit that needs to be fixed, sooner rather than later — if it hasn't been already. But it's not one that's going to keep us up at night. There are a lot of unknowns, and unfortunately they're being ignored for the sake of scary-sounding storytelling.

What about updates to fix this?

We're going to need system updates to truly patch this. The good news is the code's already done on Google's end. The bad news is that most folks are doing to have to wait on the manufacturers and carriers to push it out. But, again — while we're talking something like 950 million vulnerable phones out there, we're also talking zero known cases of exploitation. Those are pretty good odds.

HTC has said updates from here on out will contain the fix. And CyanogenMod is incorporating them now as well.

And while he doesn't mention this Stagefright exploit by name, Google's Adrian Ludwig on Google+ has addressed exploits and security in general, again reminding us of the multiple layers that go into protecting users. He writes:


There's common, mistaken assumption that any software bug can be turned into a security exploit. In fact, most bugs aren't exploitable and there are many things Android has done to improve those odds. We've spent the last 4 years investing heavily in technologies focused on one type of bug -- memory corruption bugs -- and trying to make those bugs more difficult to exploit.

For more on how that works, read our Q&A on security with Google's Ludwig.
One way to protect the phone, is to use Google hangouts or Google messenger as default SMS and MMS app, and then turn off auto retrieve MMS. How to do that here: https://www.twilio.com/blog/2015/07/how ... ploit.html
Image
Image
Where am I at in the post apocalypse draft? When do I start getting picks? Because I want this guy. This guy right here. I will regret not being able to claim the quote, "The first I noticed while burning weed, so I burned it, aiming at its head first. It wriggled for about 10 seconds. Too long... I then fetched an old machete [+LITERALLY ANYTHING]"
- Raw Shark on my slug hunting
User avatar
SCRawl
Has a bad feeling about this.
Posts: 4191
Joined: 2002-12-24 03:11pm
Location: Burlington, Canada

Re: HUGE vulnerability found in Android phones. (Stagefright

Post by SCRawl »

I appreciate the heads-up. I've just turned off auto-retrieve of MMS.
73% of all statistics are made up, including this one.

I'm waiting as fast as I can.
User avatar
Borgholio
Sith Acolyte
Posts: 6297
Joined: 2010-09-03 09:31pm
Location: Southern California

Re: HUGE vulnerability found in Android phones. (Stagefright

Post by Borgholio »

Or one could just turn off auto-retrieve MMS messages. Google hangouts is not required...but often nicer than using the default app for general use.
You will be assimilated...bunghole!
User avatar
The Infidel
Jedi Master
Posts: 1283
Joined: 2009-05-07 01:32pm
Location: Norway

Re: HUGE vulnerability found in Android phones. (Stagefright

Post by The Infidel »

Borgholio wrote:Or one could just turn off auto-retrieve MMS messages. Google hangouts is not required...but often nicer than using the default app for general use.
Heh, you're right. I just did as in the link. I've had Android since spring, and still have lots to learn.
Image
Image
Where am I at in the post apocalypse draft? When do I start getting picks? Because I want this guy. This guy right here. I will regret not being able to claim the quote, "The first I noticed while burning weed, so I burned it, aiming at its head first. It wriggled for about 10 seconds. Too long... I then fetched an old machete [+LITERALLY ANYTHING]"
- Raw Shark on my slug hunting
User avatar
Ace Pace
Hardware Lover
Posts: 8456
Joined: 2002-07-07 03:04am
Location: Wasting time instead of money
Contact:

Re: HUGE vulnerability found in Android phones. (Stagefright

Post by Ace Pace »

ITT we discover not deprecating standards bites us in the ass or "everyone ignored the last half decade of SMS layer vulnerabilities".

In totally in an irrelevant factoid, from personal knowledge, the CEO of Zimperium is kinda of an asshole.
Brotherhood of the Bear | HAB | Mess | SDnet archivist |
Post Reply