Stagefright MMS bug - 95% of Android devices vulnerable

[Sooon]

http://consumerist.com/2015/07/27/b...e-over-your-android-phone-with-a-single-text/

http://fortune.com/2015/07/28/stagefright-google-android-security/

This is a pretty nasty bug, you can be infected without even opening the text message. Google has patched the bug, but it's up to the manufacturers to release the updates. Bad news for those devices that are no longer being supported by their manufacturers.

That means an attacker can infect your device simply by sending you a malicious MMS message. (Remember that acronym? Multimedia message service.) In fact, a victim doesn’t even have to open a booby-trapped message for the attack to spring. Once the message received, your phone is toast.

The level of access attackers would gain would allow access to files stored on SD cards as well as on the phone memory. Attackers could also turn your phone into a bug, remotely recording audio and video without your knowledge. Bluetooth access is also hackable via Stagefright. All versions of Android from 2.2 and up are considered vulnerable.

If that sounds terrifying, well, it kind of is. And then it gets worse. The exploit isn’t like a virus-laden e-mail attachment; you don’t actually have to try to view the media in order to be affected. Merely looking at the message in some apps is enough.

And then there are the apps where you don’t even have to open the message: for folks who use Google Hangouts to read their texts, Hangouts would open and access the exploit code “immediately before you even look at your phone… before you even get the notification,” Drake told Forbes, adding that it’s possible then to delete the message before the user even receives an alert, making the attack completely silent.

 

[lxskllr]

So, how does this work for updates? I have an S5 I have zero interest in upgrading from KitKat. Is there any chance of Samsung releasing a KitKat fix? If so, could I simply extract the files from the image, and insert them myself? How about a later image? What if I put Lollipop files in my KitKat? There's no reason it shouldn't work unless they depend on other files of a specific version...

I really hate mobile devices. It's all a bunch of hacking around, trying to retain control from companies that want to take it from you.

 

[soccerballtux]

man, that's frickin awesome, love exciting stuff happening in the world like that.

 

[ImDonly1]

Already fixed in latest cyanogenmod nightlies.

 

[PokerGuy]

Wow, that sounds really really nasty. We've seen hundreds of exploits that all basically come down to tricking the user into doing something dumb, opening a package, clicking a link etc. With this one, you can get nailed and have your phone compromised without doing anything. Even worse, if the attacker wants, they can compromise your phone and remove any trace of the compromise itself, so you'd have no idea your phone was compromised.

Who the heck thought it would be a good idea to design the software to just automatically open some data/package/info from unverified senders without any user intervention anyway??

 

[KB]

Damn I am screwed. Verizon makes one update per phone and then drops support and they already released their one update.

I might have to hack it and install a mod to be safe.

 

[poofyhairguy]

This is a pretty nasty bug, you can be infected without even opening the text message.

It is really not that bad. There is no complete exploit that gets out the sandbox, and all post-Jellybean systems have protections to limit potential damage.

I mean, it is a nasty hack and its going to expose the issue with Android's broken update process. But that is because those with axes to grind are going to go after Android. The real danger to individuals is minimal.

 

[Megatomic]

It is really not that bad. There is no complete exploit that gets out the sandbox, and all post-Jellybean systems have protections to limit potential damage.

I mean, it is a nasty hack and its going to expose the issue with Android's broken update process. But that is because those with axes to grind are going to go after Android. The real danger to individuals is minimal.

This is good to know. And honestly, the Android update process needs a major overhaul. The carriers need to be removed from the system just as they are on iPhones.

 

[soccerballtux]

Already fixed in latest cyanogenmod nightlies.

unfortunately, there are 10 other non-glamorous show-stopping bugs in the nightlies nobody wants to bother fixing, so bad in fact Oppo rolls their own Android now...

 

[poofyhairguy]

So, how does this work for updates? I have an S5 I have zero interest in upgrading from KitKat. Is there any chance of Samsung releasing a KitKat fix? If so, could I simply extract the files from the image, and insert them myself? How about a later image? What if I put Lollipop files in my KitKat?

That isn't going to work and the only devices that MIGHT get a Samsung Kitkat fix are ones that will forever be stuck on Kitkat. If you want to stay on Kitkat the only real option is to manually disable the attack vector on your devices:

https://www.twilio.com/blog/2015/07/how-to-protect-your-android-device-from-stagefright-exploit.html

It isn't that hard to avoid the exploit. Plus in order to use the exploit someone would have to know your phone number. Do you have some arch enemy that will be willing to do that? I think the real danger is like for company CEOs and government types.

 

[poofyhairguy]

This is good to know. And honestly, the Android update process needs a major overhaul. The carriers need to be removed from the system just as they are on iPhones.

We have this debate every six months or a year, and it always comes to the same conclusion. I don't even think Google disagrees at this point that the Android update process sucks. That is why Android Wear and Chrome OS don't allow for all the carrier updates or OEM skinning to the point of forking nonsense.

With that said for Android phones the horse is out of the barn. Giving the carriers all that power is how they got the deal with Verizon to launch Droid and take down the Web OSes and Blackberries of the world. There is no way to put that genie back in the bottle outside of the phones Google controls directly (Nexuses). It is baked into the crust of Android.

Unlike other computing platforms where the cost of the OS for the OEM is onetime (Windows machines) on the Android platform each time an OEM rolls out another update for a device they eat into that profit they made for selling you the device. Unlike Apple the margins are so huge that this is insignificant. Some of the Chinese phones have to have like a 5-10% margin. That doesn't allow for a lot of software development.

To me this is exactly why people who care about this stuff and getting updates need to take things into their own hands. Don't get a Galaxy phone, or a HTC something something, and then bitch that Verizon or Samsung or whoever are these evil companies keeping you from getting updates. Part of what you buy in the package is maybe or maybe not getting updates. Do your research, look how companies supported their older devices, and if possible buy an unlocked non-carrier device to avoid them getting in the way. Yeah it would be great if Google just magically fixed it, but they aren't and that is the reality we all have to deal with.

That is a big reason why my next phone will almost certainly be a Nexus. And why I am very interested in Cyanogen's OS. Their concept of sharing app store revenues with OEMs might give phones the kind of long tail revenue stream needed to support a more robust update process. Google needs to do that ASAP.

 

[lxskllr]

That isn't going to work and the only devices that MIGHT get a Samsung Kitkat fix are ones that will forever be stuck on Kitkat. If you want to stay on Kitkat the only real option is to manually disable the attack vector on your devices:

https://www.twilio.com/blog/2015/07/how-to-protect-your-android-device-from-stagefright-exploit.html

It isn't that hard to avoid the exploit. Plus in order to use the exploit someone would have to know your phone number. Do you have some arch enemy that will be willing to do that? I think the real danger is like for company CEOs and government types.

I don't use either of those messengers, and honestly, I'm not as concerned about mms as I am random media files around the web. I haven't seen anything that says it's limited to messenging. Seems to me malformed media wherever encountered could be an issue, and with a pwned machine, the attacker wouldn't need to know about me ahead of time.

I use NoScript, and tend to avoid video in general, but NoScript isn't quite as robust on Android(surprise) as it is on the desktop. It doesn't seem unreasonable to stumble on something while traveling around.

 

[poofyhairguy]

I don't use either of those messengers, and honestly, I'm not as concerned about mms as I am random media files around the web. I haven't seen anything that says it's limited to messenging.

It's not. But the applications themselves can be updated to block the exploit on their end. I know Firefox for Android, for example, has recently been updated. it too was apparently vulnerable via web pages containing booby-trapped videos.

 

[gorcorps]

Am I reading this wrong, or is this more app specific than android specific? I mean, I know it's an android vulnerability, but the info makes it sound like some apps are more prone to activating this exploit more than others... so the app devs themselves can change things on their end right? Hopefully we're able to get the real fix eventually, but for those on unsupported phones I would think an update to their messaging app could help.

 

[uallas5]

Am I reading this wrong, or is this more app specific than android specific? I mean, I know it's an android vulnerability, but the info makes it sound like some apps are more prone to activating this exploit more than others... so the app devs themselves can change things on their end right? Hopefully we're able to get the real fix eventually, but for those on unsupported phones I would think an update to their messaging app could help.

My understanding is that the messaging app is the delivery vehicle rather than the base of the problem. Otherwise Google would have updated Hangouts and the default Android messaging apps through the Playstore already.

 

[poofyhairguy]

Am I reading this wrong, or is this more app specific than android specific? I mean, I know it's an android vulnerability, but the info makes it sound like some apps are more prone to activating this exploit more than others... so the app devs themselves can change things on their end right? Hopefully we're able to get the real fix eventually, but for those on unsupported phones I would think an update to their messaging app could help.

You kinda got it right. It IS Android specific as Stagefright is Android's media engine:

http://source.android.com/devices/media.html

But the hack uses a vulnerability (the fact that phones autoload these messages) in MMS to take advantage of the weakness in Stagefright. Apps can do things to wall off media components and limit the damage possible.

 

[sweenish]

It's a pretty simple thing to avoid until an update rolls out to fix the root.

Use an app that gives you the option to not automatically download MMS. Like Google Messenger.

I guess the hidden other step is trust that your contacts don't want to do this to you, and don't be stupid.

 

[gorcorps]

My understanding is that the messaging app is the delivery vehicle rather than the base of the problem. Otherwise Google would have updated Hangouts and the default Android messaging apps through the Playstore already.

You kinda got it right. It IS Android specific as Stagefright is Android's media engine:

http://source.android.com/devices/media.html

But the hack uses a vulnerability (the fact that phones autoload these messages) in MMS to take advantage of the weakness in Stagefright. Apps can do things to wall off media components and limit the damage possible.

Yeah, I know the root problem is an android vulnerability. It just sounds like more can be done about it on the app side than people realize. It's not like people on older phones are totally SOL. I've already disabled auto-retrieve of MMS messages on my Note 4, so I'd have to at least physically open the message to get hit.

It's at least something

 

[s44]

Use an app that gives you the option to not automatically download MMS. Like Google Messenger.

Yeah, I've been sending this link to people:

http://www.pocketmeta.com/how-to-pr...-from-the-mms-hack-stagefright-exploit-30361/

Once you do this and update the browser, things should be pretty contained.

 

[Oyeve]

Bah, my default mms app on all my phones has auto-retrieve off already. I really dont see the big whoop. Didnt this happen a few months ago on another platform already?

 

[magomago]

hangouts downloads mms on by defaults IIRC. 99% of people have it like that, and I don't understand why one would normally want it off.
Ultimately MMS and SMS serve the same function - do we want notifications about SMS and then decided to 'retrieve' them?

imo this is a big deal, and turning off mms is a PITA.

I'm also running 4.4 on an S5 because 5.X is a laggy POS...and I'm wondering if the fix can be patched in..i'm already rooted and running a lighterweight version of the stock rom.

 

[Suspicious-Teach8788]

You kinda got it right. It IS Android specific as Stagefright is Android's media engine:

http://source.android.com/devices/media.html

But the hack uses a vulnerability (the fact that phones autoload these messages) in MMS to take advantage of the weakness in Stagefright. Apps can do things to wall off media components and limit the damage possible.

But it's not just limited to MMS right? There's mobile messengers like WhatsApp, Facebook Messenger, etc.

 

[poofyhairguy]

But it's not just limited to MMS right? There's mobile messengers like WhatsApp, Facebook Messenger, etc.

I don't think they use the same framework. And honestly unless you are on a pre-Jellybean device I wouldn't super worry about it:

https://plus.google.com/+AdrianLudwig/posts/V9bestUnUNk

 

[stlc8tr]

Just noticed a Chrome update. I wonder if it patches this exploit? The release notes did not contain any details aside from the ubiquitous "misc. bug fixes".

 

[poofyhairguy]

The exploit is OS level. A fix is an OS update.