Scary Vulnerability: One Text Can Hack 95% of Android Phones

[dgstorm]

Here's a story that @Jeffrey shared with us. Apparently several nasty new vulnerabilities have been discovered in Android. These new vulnerabilities are being called the worst security flaw in Android ever discovered. The scary part is that they can be activated just from text messages. Here's a quote with the details,

Joshua Drake, from Zimperium zLabs, who reported the bugs in April this year, said whilst Google has sent out patches to its partners, he believes most manufacturers have not made fixes available to protect their customers. “All devices should be assumed to be vulnerable,” Drake, vice president of platform research and exploitation at Zimperium, told FORBES. He believes as many as 950 million Android phones could be affected, going on figures suggesting there are just over 1 billion in use. Only Android phones below version 2.2 are not affected, he added.

The weaknesses reside in Stagefright, a media playback tool in Android. They are all “remote code execution” bugs, allowing malicious hackers to infiltrate devices and exfiltrate private data. All attackers would need to send out exploits would be mobile phone numbers, Drake noted. From there, they could send an exploit packaged in a Stagefright multimedia message (MMS), which would let them write code to the device and steal data from sections of the phone that can be reached with Stagefright’s permissions. That would allow for recording of audio and video, and snooping on photos stored in SD cards. Bluetooth would also be hackable via Stagefright.

Depending on the MMS application in use, the victim might never know they had even received a message. Drake found that when the exploit code was opened in Google Hangouts it would “trigger immediately before you even look at your phone… before you even get the notification”. It would be possible to delete the message before the user had been alerted too, making attacks completely silent, he added.

It seems ridiculous that the Android OEMs are dragging their feet on getting Google's fixes out to Android owners. Let's hear from our forum experts on this subject. Is this something we should be concerned about?

There's even more info regarding these vulnerabilities at the Forbes source link below.

Source: Stagefright It Only Takes One Text To Hack 950 Million Android Phones

 

[Jonny Kansas]

It's a shame that Google's figured out a fix for this, but apparently hasn't been able to bake it in to their messaging apps. You'd think they could do something in the code for Hangouts to block the triggers from being activated in this way.

While they may have issued fixes and we're all now waiting on OEMs and carriers (good luck...), it's kinda hard to believe there's not at least a temporary fix that could be used in Google's own messaging apps in the meantime.

 

[Dusty]

This is exactly why people shouldn't buy devices where the carriers control the software and updates.

 

[Jeffrey]

This is exactly why people shouldn't buy devices where the carriers control the software and updates.

I agree that the carriers drag their feet when it comes to updates, but what alternatives do we really have.

 

[Powarun]

I agree that the carriers drag their feet when it comes to updates, but what alternatives do we really have.

iPhone or Nexus. Yeah not a funny joke. But thats one of the reasons why I jumped on the Nexus 6 was updates in a very timely fashion.

 

[cr6]

Do you root your Nexus @Powarun ?

S5 tap'n

 

[Dusty]

Was just about to type the same thing.
Nexus devices or phones like the OnePlus that cut the carrier out of the upgrade path.
It's the reason my last two phones weren't carrier specific devices.

 

[Ollie]

This flaw is very easily sidestepped if you use Hangouts or Messenger. Just disable auto downloading of media files. Enjoy!

https://www.twilio.com/blog/2015/07/how-to-protect-your-android-device-from-stagefright-exploit.html

 

[Jonny Kansas]

This flaw is very easily sidestepped if you use Hangouts or Messenger. Just disable auto downloading of media files. Enjoy!

https://www.twilio.com/blog/2015/07/how-to-protect-your-android-device-from-stagefright-exploit.html

Sure, but then I have to react to get MMS from people I actually want to get them from...

 

[cr6]

The point I was trying to make is: those folks that purchase Nexus/One Plus devices usually root them. The whole "security" concerns go out the window making your device just as vulnerable to hacking.
Despite all the precautions we take on a daily basis in order to protect our private data, identity etc....there will ALWAYS be a way for hackers to gain access to your device. If it's not this particular vulnerability, it will be another. Nobody is 100% secure regardless of what device you purchase.

S5 tap'n

 

[Ollie]

Sure, but then I have to react to get MMS from people I actually want to get them from...

Safety first!

Alternatively, you can block non-contact numbers if manually retrieving a photo, document, sound file, etc is too much of a hassle.

 

[Jonny Kansas]

Yeah. I already made the change on my phone. I still think they should be able to code the app to just completely reject any message containing the trigger.

 

[Ollie]

That's probably what's going to happen. The last security flaw on a Samsung device was patched by Samsung over the air on my phone. I'm sure they will do the same for Messenger.

My problem is that I now have to stop using Textra. They do not include an option to turn off auto downloading. I guess I will go back to Sammy's Messenger app for now and shoot the Developer of Textra an email.

 

[Dusty]

The point I was trying to make is: those folks that purchase Nexus/One Plus devices usually root them. The whole "security" concerns go out the window making your device just as vulnerable to hacking...

S5 tap'n

From what I understand is that the only danger in rooting is if you, yourself, install malicious code. It doesn't make you "more" vulnerable to an attack, meaning, someone can't attack you just because you are rooted. Rooting just means you have opened access to files at the root level.

 

[Ollie]

From what I understand is that the only danger in rooting is if you, yourself, install malicious code. It doesn't make you "more" vulnerable to an attack, meaning, someone can't attack you just because you are rooted. Rooting just means you have opened access to files at the root level.

IMO it makes you more secure. Until Google brings back their baked in permissions control functions that they suspiciously removed rooting gives you more ways to protect yourself than a stock firmware.