Stagefright: Worst Android Vulnerability Yet
Remember back in June when you snickered at your iPhone friends, because a specially crafted text message could shut down their phones? It's payback time. A similar vulnerability in Android phones can do much scarier things. Here's what you need to know, and do…
What is the Android Stagefright Problem?
Researchers with Zimperium Mobile Security recently discovered a flaw in 95% of Android devices (of which there are an estimated 950 million) that allows hackers to remotely execute malware on a device if they only know its phone number. Here is how it can happen:
A bad guy need only send a specially-crafted MMS message to a target device. The malformed message overloads a vulnerable part of the device’s memory, essentially creating a “hole” in Android’s defenses through which malware can be injected. The malware can then take over complete control of the device, and even erase all signs of its invasion.
The really scary thing is that this attack does not require any action on the victim’s part. You can protect against phishing messages and rogue Web sites by not clicking on suspicious file attachments, links, and download buttons. But this attack can take place while you’re not even looking at your phone. The implanted malware can quickly erase any notification of the treacherous MMS message, and even the message itself.
The vulnerabilities (yes, plural) were discovered in an Android module code-named “Stagefright,” whose job is to display common multimedia files. Stagefright is written in so-called “native code,” (specifically, C++), which is more susceptible to this sort of memory corruption than languages such as Java, which were designed with memory-security in mind. However, native code executes faster, which is important for displaying multimedia; that’s why C++ was chosen for this portion of Android.
Android versions 2.2 and later are vulnerable; even the latest Lollipop 5.1.1 version contains this alarming flaw. Android versions earlier than Jelly Bean (roughly 11% of all devices) are especially vulnerable.
In an unusual move, Zimperium created patches for the Stagefright vulnerabilities and gave them to Google along with Zimperium’s documentation of each vulnerability. To Google’s credit, the patches were applied to the company’s internal “working copy” of Android within 48 hours. All copies of Android obtained directly from Google are now safe from Stagefright.
One More Hurdle...
But Google doesn’t update Android devices directly. New versions of “pure” Android go to device manufacturers and cellular service carriers. Those middlemen customize Android to their liking before installing their tweaked versions on devices and selling them. Once they’ve sold you a phone, these middlemen have little incentive to keep your copy of Android updated and secure. Devices older than 18 months are unlikely to get updates at all, because you’re expected to buy a new device every two years.
In the absence of a software fix from your carrier, one thing you can do to mitigate the risk is to turn off the "auto-retreive" option for MMS messages on your phone. (Google for instructions specific to your handset.) Doing this will require you to explicitly click to view a multimedia message, if one arrives from a person you don't know. Once the official fix is applied, you can turn auto-retrieve back on.
At least two group of users are already protected against Stagefright exploits, says Zimperium. Users of SilentCircle’s high-security Blackphone running PrivateOS v1.1.7 or higher are safe. In addition, if you've rooted your phone and installed CyanogenMod (a custom version of the Android operating system), you're okay. Enterprise customers of Zimperium’s Enterprise Mobile Threat Protection solution, zIPS, are also protected against Stagefright vulnerabilities. But consumer and small business users of Android have only one hope.
Call the maker of your Android device, and your cellular carrier, and demand to know when the Stagefright fix will be pushed to your device. Be persistent until you get it. Only if enough end users make enough noise will this extremely dangerous bug be fixed.
Your thoughts on this topic are welcome. Post your comment or question below...
This article was posted by Bob Rankin on 29 Jul 2015
|For Fun: Buy Bob a Snickers.|
Will YOU Pay the Netflix Tax?
The Top Twenty
Geekly Update - 30 July 2015
Post your Comments, Questions or Suggestions
Free Tech Support -- Ask Bob Rankin
Subscribe to AskBobRankin Updates: Free Newsletter
Copyright © 2005
- Bob Rankin - All Rights Reserved
Article information: AskBobRankin -- Stagefright: Worst Android Vulnerability Yet (Posted: 29 Jul 2015)
Copyright © 2005 - Bob Rankin - All Rights Reserved