BT

New Early adopter or innovator? InfoQ has been working on some new features for you. Learn more

Android 'Stagefright' Vulnerabilty puts Millions at Risk

| by James Chesters on Aug 03, 2015. Estimated reading time: 2 minutes |

Google has moved quickly to reassure Android users following the announcement of a number of serious vulnerabilities.

The Google Stagefright Media Playback Engine Multiple Remote Code Execution Vulnerabilities allow an attacker to send a media file over a MMS message targeting the device's media playback engine, Stagefright, which is responsible for processing several popular media formats.

Attackers can steal data from infected phones, as well as hijacking the microphone and camera.

Android is currently the most popular mobile operating system in the world -- meaning that hundreds of millions of people with a smartphone running Android 2.2 or newer could be at risk.

Joshua Drake, mobile security expert with Zimperium, reports

A fully weaponized successful attack could even delete the message before you see it. You will only see the notification...Unlike spear-phishing, where the victim needs to open a PDF file or a link sent by the attacker, this vulnerability can be triggered while you sleep. Before you wake up, the attacker will remove any signs of the device being compromised and you will continue your day as usual – with a trojaned phone.

Zimperium say that "Google acted promptly and applied the patches to internal code branches within 48 hours, but unfortunately that’s only the beginning of what will be a very lengthy process of update deployment."

NPR report that while Google gives its latest version of the Android OS to the manufacturers of smartphones and tablets, it's up to the manufacturers to "tweak it as they please."

Silent Circle report their Blackphone was patched "weeks ago," similarly CyanogenMod report the vulnerabilities "have been patched in CM12.0 and 12.1 nightlies for a couple weeks" and Mozilla has already patched the vulnerability in Firefox 38. Some manufacturers are still to release official updates.

Security software and hardware vendor Sophos report that Google Nexus users are probably "already safe" but they "can't be sure which other device vendors have already patched, unless they choose to say so, because Zimperium is keeping the exploits under wraps" until the Black Hat USA conference on August 5.

Andrew Ludwig, Google's lead engineer for Android security, said

Updates are truly a last resort. They should be neither the first nor the only step in a multi-layered stack of security technology.

I’m optimistic that advanced exploitation mitigation technology in Android will help us to move beyond the period of time when fast patching was the only solution available to secure devices. And I look forward to more research into how these technologies can be used to prevent exploitation on Android and other platforms.

One of the first steps for users to protecting their Android devices from the Stagefright issues is to disable the setting to "automatically retrieve" MMS messages and Google Hangouts. This should be done in the phone’s messaging app. However, because the vulnerability is in the Stagefright media library, MMS delivery is only one way of targeting Stagefright.

While Google has classified the Stagefright vulnerabilities as "high", Ludwig has advised caution against a blanket assumption that all bugs are necessarily exploitable, saying "There’s a common, mistaken, assumption that any software bug can be turned into a security exploit. In fact, most bugs aren’t."

Google have announced their Android Security Rewards program to encourage researchers to prove an issue is exploitable, paying up to $30,000 to developers that provide working remote exploits.

Rate this Article

Adoption Stage
Style

Hello stranger!

You need to Register an InfoQ account or or login to post comments. But there's so much more behind being registered.

Get the most out of the InfoQ experience.

Tell us what you think

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

How to protect your Android device from the Stagefright Bug by Cristina Ada

The best way to protect your Android until an official fix is to turn off automatic retrieval of messages. Step-by-step instructions can be found here: www.ibvpn.com/2015/08/how-to-protect-your-andro...

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

1 Discuss

Login to InfoQ to interact with what matters most to you.


Recover your password...

Follow

Follow your favorite topics and editors

Quick overview of most important highlights in the industry and on the site.

Like

More signal, less noise

Build your own feed by choosing topics you want to read about and editors you want to hear from.

Notifications

Stay up-to-date

Set up your notifications and dont miss out on content that matters to you

BT