'Stagefright' Flaw: Compromise Android With Just a Text

An anonymous reader writes: Up to 950 million Android phones may be vulnerable to a new exploit involving the Stagefright component of Android, which lets attackers compromise a device through a simple multimedia text — even before the recipient sees it. Researchers from Zimperium zLabs reported the related bugs to Google in April. Google quickly accepted a patch and distributed it to manufacturers, but the researchers say they don't think the manufacturers have yet passed it on to most consumers.

"The weaknesses reside in Stagefright, a media playback tool in Android. They are all "remote code execution" bugs, allowing malicious hackers to infiltrate devices and exfiltrate private data. All attackers would need to send out exploits would be mobile phone numbers, Drake noted. From there, they could send an exploit packaged in a Stagefright multimedia message (MMS), which would let them write code to the device and steal data from sections of the phone that can be reached with Stagefright's permissions. That would allow for recording of audio and video, and snooping on photos stored in SD cards. Bluetooth would also be hackable via Stagefright."

How to Disable Stagefright?

How can Stagefright be uninstalled / disabled?

Re:How to Disable Stagefright?

lol

Re:How to Disable Stagefright?

[grilled-cheese]

How can Stagefright be uninstalled / disabled?

Buy a new phone with a version that includes the patches to begin with.

Re:How to Disable Stagefright?

Please follow this guide to disable it:
1. Stand up
2. Take phone in hand
3. Take a few steps to the trash bin
4. Throw phone in trash bin

Re:How to Disable Stagefright?

in build.prop, media.stagefright.enable-player=false

Re:How to Disable Stagefright?

Short of uninstalling Android, I don't believe you can. Stagefright is the core media decoding/playback platform that provides access to hardware (and fallback software) codec implementations.

Re:How to Disable Stagefright?

Simple, uninstall Android.

Re:How to Disable Stagefright?

That was the very first question all 950 million of us asked before getting past the first sentence in the summary. Bet you didn't know Slashdot has that many lurkers... Getting first post on this one is a real accomplishment! Congrats!

Re:How to Disable Stagefright?

[Ukab+the+Great]

Imagining everyone who texts you in their underwear.

Re:How to Disable Stagefright?

[wonkey_monkey]

What are the chances of someone texting me while I'm in their underwear?

-----------------------

Alternative reply: Way ahead of you.

Re:How to Disable Stagefright?

Better yet, buy a new phone that doesn't run Android.

Re: How to Disable Stagefright?

Pretty good, actually. "Don't bother returning that pair of underwear you took - just keep them. Ew."

Re:How to Disable Stagefright?

[macs4all]

Please follow this guide to disable it:

1. Stand up
2. Take phone in hand
3. Take a few steps to the trash bin
4. Throw phone in trash bin

That was modded "Funny"; but it's actually True for the vast majority of Android Users.

Re:How to Disable Stagefright?

[Shakrai]

There's an easier way. Just put the phone in airplane mode. Problem solved.

(Some minor loss in functionality may occur, but you can never be too safe....)

Re:How to Disable Stagefright?

[leuk_he]

from this git entry I would suspect meta data parsing errors.

so in /system/boot.prop (root required)
[code]
media.stagefright.enable-meta=false
media.stagefright.enable-scan=false
[/code]

However, one cannot be sure about this.

Re: How to Disable Stagefright?

1. Stand up
2. Take phone in hand
3. Take a few steps to the trash bin
4. Properly recycle the phone and throw yourself in the trash bin

Re:How to Disable Stagefright?

[Tough+Love]

There's an easier way. Just put the phone in airplane mode. Problem solved. (Some minor loss in functionality may occur, but you can never be too safe....)

No problem, it will still work fine as a bottle opener.

Re:How to Disable Stagefright?

Yes because throwing your phone in the bin means that the hacker won't be able to send the message, steal everything on your phone and take your money.

At least turn it off before advising to throw it away....well until Google accounts get hacked. Then you're stuffed!

If you think Apple's safer you're deluded.

Re: How to Disable Stagefright?

[KGIII]

Stop going through your mom's sent messages. I took them for sentimental reasons you insensitive clod!

Re: How to Disable Stagefright?

I would have thought that any slashdot poster would have realized that we were talking about a metal trash can with a lid. Placing your phone in there will effectively put it in a Faraday cage, protecting it from possible attack. Duh.

Re:How to Disable Stagefright?

Or actually disable MMS:

Settings -> Wireless & Networks -> More... -> Mobile networks -> Access Point Names -> -> Change MMSC and MMS proxy to invalid values.

Re:How to Disable Stagefright?

[macs4all]

If you think Apple's safer you're deluded.

Citation, please.

Re: How to Disable Stagefright?

You can't disable it that I know of. But you can simply just turn off auto downloading of MMS in your messaging app so that if anyone sends tlyou this text you'll basically have to press open before the exploit could take hold.

I'm safe.

My carrier blocks MMS--suck it!

Re:I'm safe.

If data & WiFi is off the mms won't download, you'll get a message that it won't display unless you turn it on. That's why I leave them off, so I only get plain text messages.

Android versions prior to Jelly Bean, version 4.1

"Android versions prior to Jelly Bean, version 4.1, representing roughly 100 million devices, have “inadequate exploit mitigations” that wouldn’t prevent Stagefright attacks over MMS."

You're welcome.

What benefit to announcing it?

[pz]

This group sounds like they acted reasonably and responsibly, letting Google know there was a problem, and submitting good patches to correct the issue.

If, now, there's some other fundamental impediment to distributing a correction to the bug that does not have to do with Google, but rather with the heaploads of cell phone manufacturers who use Google's code and who may or may not have the ability to distribute the fix, why should the vulnerability be made public? I don't see any apparent upside to the public good.

Re:What benefit to announcing it?

Vendors like to sit on their hands when there's no direct incentive to do otherwise. Unless there's a deadline where "bad things happen", they'll sit on their hands forever. The public good is that it teaches the vendors that there's consequences to hand sitting.

Re:What benefit to announcing it?

[Bugler412]

Upside would be forcing carriers and OEMS to actually support their product in an ongoing fashion rather than quietly stopping updates shortly after releasing the device, as is the case with many lower end Android devices

Re:What benefit to announcing it?

[mwvdlee]

I don't see any apparent upside to the public good.

If vulnerabilities would never be publically exposed, it would remove incentive to fix the vulnerabilities.
Companies generally don't like to spend money fixing problems that they could far more cheaply deny.
The public good of "public disclosure" is that it makes companies accountable for their (in)actions.

Re:What benefit to announcing it?

Upside would be forcing carriers and OEMS to actually support their product in an ongoing fashion rather than quietly stopping updates shortly after releasing the device, as is the case with many lower end Android devices

Cell phones are disposable shit, like so many other disposable shit products of our consumerist society.
What in the world makes you think the seller (in this case ATT, or Sprint, or Verizon etc...) gives a fuck about you after they've already gotten the Franklin's out of you ? Even Apple is not immune to this. Their very expensive disposable shit is not supported forever, and god forbid should an exploit be found then. What are Appletards supposed to do ? Simple, fork over more Franklin's for the new shiny cell phone and the cycle continues on and on. Just look at what happens with hacked cars. And imagine the caos when the fucking internet of things comes along. You'll be at the mercy of those crminals because you've bought into technology that's disposable. And the only way to fix it is to buy more update versions of the same shit. If this is not some kind of completely fucked up situation I don't know what is.

Re:What benefit to announcing it?

[zarmanto]

... the heaploads of cell phone manufacturers who use Google's code and who may or may not have the ability to distribute the fix...

Faulty premise: The issue isn't that they do not have the ability to distribute fixes; it's that they each have different levels of corporate red tape, preventing the expeditious distribution of these fixes. That's been an ongoing problem in the Android market for years, now. Thus, the benefit of this reveal is that, when an exploit hits the wild (and it would have with or without this announcement) these researchers (and Google) can all respond to outraged customers by saying, "Don't blame me! I did my part!" and point their fingers out to the carriers.

Re:What benefit to announcing it?

Lets be clear. This group found the exploits (that's what their company does remember) and not only informed google, but actually wrote patches to fix it. What they have released is merely information about this exploit actually existing. They are holding the "proof-of-concept" until the blackhat conference.If and when they release that, prior to the manufacturers releasing a patch, would be a problem. Informing us it's there is not teaching us how to use it.

It's sad to say but in todays software world, you basically have to threaten the company to get them to address the concern, putting a date (Aug 4th 2015) on releasing the full hack gives the software makers, and manufactures, a deadline to patch this.

If they don't make these things public, only they and the bad guys know

Re:What benefit to announcing it?

[brunes69]

I disagree. It will put pressure on all the cell phone manufacturers and carriers to stop dragging their feet and release updates in a timely fashion.

This way Google and the group can say "we warned you" if a bunch of Verizon Samsung customers get exploited because Verizon would not allow the release to be published. No carrier wants that kind of news item.

Re:What benefit to announcing it?

Look at it this way.

Governments and criminal organizations have the resources to find and exploit these vulnerabilities. They may have known about this particular vulnerability for some time now.

Making it public pressures Google to try to fix the problem, AND pressures Google to pressure manufacturers to push the fixes to customers, at the risk of making everyone look bad, and lose business (Google in particular).

That's the theory, anyway. In practice, what happens is that new models (if any) get the patch, while old models are screwed, which makes publishing the vulnerability even more important: it allows informed individuals - such as ourselves - to try to defend themselves against this by either mitigating the damage (apparently, by disabling hangouts) or applying the fix ourselves.

In any event, now that there is a fix there's no point in delaying the vulnerability disclosure.

Re:What benefit to announcing it?

Cell phones are disposable shit, like so many other disposable shit products of our consumerist society.

I just don't find $450-$600 dollars disposable. I guess the reliable "solution" is to avoid buying smartphones, and just rely on mass produced, inflexible feature phones.

Re:What benefit to announcing it?

[Overzeetop]

Verizon doesn't give a rat's ass. You want a fixed phone, come by a new one you fucking turd. Oh, and pay more for the service because fuck you. .

To those who believe that when they paid $200 for a phone as a guarantee for being able to pay $600-1000/yr for service: Well, in the immortal words of their spokesperson, "Pray I do not alter [the deal] any further"

Re: What benefit to announcing it?

Too bad you are just spouting, and not sharing any REAL information. Your ignorance is showing.

Re:What benefit to announcing it?

Well, let's see... My wife and I are already safe since we have Nexus 6 devices. But, my kids both have a Nexus 5 - and the article says that they have not been patched yet. Disclosure should shame Google into patching these devices (since patches for them do not have to be approved by the carrier). It is shameful that Google hasn't already patched the older Nexus. So even Google hasn't done everything they could here. Disclosure will pretty much force their hand.

Re:What benefit to announcing it?

[jo_ham]

Since Google has patched the exploit in the main Android distribution, the announcement is to "encourage" OEMs who haven't yet pushed that fix to still-vulnerable devices.

Re:What benefit to announcing it?

[Bugler412]

even mass produced inflexible feature phones have exploits and vulnerabilities, just not as widely abused or as powerful

Re:What benefit to announcing it?

[DarkOx]

Because if one person can find an exploit so can someone else. At some point you have to go public because other ways Hacking Team like business can just keep selling it as a zero day to all manor of bad actors and end users are left exposed.

At lease if you let the cat out of the bag individuals can decide to stop using their phone if they believe the liberty or safety may be threatened as result. At that point you may be exchanging some activist keeping his head attached to his neck for price of script kiddies embarrassing some celebrities by publishing their nudes. It might just be the best of bad options.

Re:What benefit to announcing it?

[cliffjumper222]

Having worked for a phone manufacturer, the biggest red tape of all is the complete lack of budget to pay for maintaining software on a device that has been sold and is generating no revenue after that point. The only companies that make $'s are the carriers, the app sellers and Google. The carriers can and do twist the arm of OEM's to keep SW updated, but I've never heard of a carrier willing to pay a maintenance fee to OEM's for this. Anyone else know if this happens?

Re:What benefit to announcing it?

[macs4all]

If, now, there's some other fundamental impediment to distributing a correction to the bug that does not have to do with Google, but rather with the heaploads of cell phone manufacturers who use Google's code and who may or may not have the ability to distribute the fix, why should the vulnerability be made public? I don't see any apparent upside to the public good.

Now, if the shoe was on the other foot, and the vulnerability was in iOS instead, would you be of the same opinion?

And I'm sorry, if you have the resources of a cellphone manufacturer, then you DO have the resources to distribute a fix, sorry.

Re:What benefit to announcing it?

[macs4all]

Even Apple is not immune to this. Their very expensive disposable shit is not supported forever, and god forbid should an exploit be found then.

NOTHING is supported "Forever". It is simply impractical to do so.

However, if you think the "Support" (or rather, complete lack thereof) that is given to nearly EVERY Android Device has even the SLIGHTEST resemblance to the Support given to iOS devices even several years old (my iPad 2 and iPhone 4s STILL receive OS Updates), you are simply delusional.

Re:What benefit to announcing it?

iOS 8 which is the current version, is still supporting the 4 year old iPhone 4S.

Not perfect decade long support, but better than 30 days of updates (if that).

Re:What benefit to announcing it?

[macs4all]

Having worked for a phone manufacturer, the biggest red tape of all is the complete lack of budget to pay for maintaining software on a device that has been sold and is generating no revenue after that point. The only companies that make $'s are the carriers, the app sellers and Google. The carriers can and do twist the arm of OEM's to keep SW updated, but I've never heard of a carrier willing to pay a maintenance fee to OEM's for this. Anyone else know if this happens?

Funny; Apple seems to do it just fine (yes, yes: only to a point, of course). But that's because they were smart enough to retain control of their product; rather than allowing every downstream "partner" to stick their grimy little hands (and grimy code) into the codebase.

Wow! An OEM actually having a say about what code runs in their products... What a concept!!!

Re:What benefit to announcing it?

[sjames]

But the devices won't last forever, so that's not what is being asked of vendors. Support as long as the hardware can reasonably be expected to last in significant numbers is a much shorter period of time and probably not so much of an ask.

If they don't want to commit for that long, perhaps they should advertise their product as disposable.

Re:What benefit to announcing it?

[Shakrai]

My Western Electric Model 1500 begs to differ.

Re:What benefit to announcing it?

[macs4all]

But the devices won't last forever, so that's not what is being asked of vendors. Support as long as the hardware can reasonably be expected to last in significant numbers is a much shorter period of time and probably not so much of an ask.

If they don't want to commit for that long, perhaps they should advertise their product as disposable.

Your point being?

Apple has hands-down the best track record of supporting less-than-current-generation mobile hardware. Even Google is dropping support for most of the past generations of NEXUS hardware; something they basically stated they wouldn't do.

And as for all the rest of the Android OEMs: Well, they should simply be ashamed of themselves, period.

Re:What benefit to announcing it?

[sjames]

Apple is the best of the bad, Google is slipping and breaking promises and as usual, the carriers are making squishy sounds in the slime pit.

But since the entire concept of the free market depends on well educated consumers, the FTC should make the market stronger by forcing them all to state the service life up front and stick to it. For the good of the market.

Re:What benefit to announcing it?

Or cheap, good, unlocked smartphones like the MOTO G and E.

Re:What benefit to announcing it?

[Blaskowicz]

Mine doesn't have a web browser, or even MMS.
It's still a tiny computer (has USB, SD, FM) and *maybe* it can be messed with, but the easier way would be to take a JTAG to it after stealing it from me somehow.

Re:What benefit to announcing it?

[Tough+Love]

If vendors were even halfway responsible and ethical, the last OTA before dropping support would always always leave the rom unlocked for community maintenance. But vendors are not anywhere near halfway responsible and are more than halfway stupid.

Re:What benefit to announcing it?

[Tough+Love]

Google already updated my (gen 1) Nexus 7, yesterday. Not bad. Google gets a gold star for being responsible.

But for my trusty HTC Vision (aka Desire Z aka T-Mobile G2) which has a Google logo on it... I guess Cyanogen. A pain. Google should have planned that out better and gets a black star for being stupid.

Re:What benefit to announcing it?

[Tough+Love]

Ah, that would be my Nexus 4, not Nexus 7. The Nexus 7 doesn't have a phone number anyway, so Iit is most probably safe for the time being.

Re:What benefit to announcing it?

[sjames]

Agreed.

Re:What benefit to announcing it?

Where is the support for Apple PPC products? Nonexistent? oh yeah, they really keep things up to date! No worries!

The simple fact is, Apple expects every single one of their plebs to buy the latest hardware every few years. Fucking hell, their whole business model depends on it.

Re:What benefit to announcing it?

[cynicist]

My Nexus 4 is still getting the latest OS updates even though it is several years old, and the Nexus 5 is as well. The main reason the Galaxy Nexus isn't getting further support is likely because the chipset manufacturer has exited the market entirely.

Don't forget that Google does not make the hardware themselves, unlike Apple.

Re:What benefit to announcing it?

[the_B0fh]

Even Apple is not immune to this. Their very expensive disposable shit is not supported forever, and god forbid should an exploit be found then. What are Appletards supposed to do ? Simple, fork over more Franklin's for the new shiny cell phone and the cycle continues on and on.

Apple supported the iPhones with up to 4 years of patches. Is there any company with better track record? Oh, you want support forever? You should get a phone with an annual support contract then.

Re:What benefit to announcing it?

[KGIII]

I just splice into the wires when you are not home and install a recording device. Exploit done. Alternatively, I whack you in the head with a hammer and steal it then I have all the data (none) that was on the phone.

Re:What benefit to announcing it?

[KGIII]

If you have a speech impediment then do not use speech-to-text or do make an effort to preview your posts. You were looking for "otherwise" and "at least."

Re:What benefit to announcing it?

[Bugler412]

Don't focus on "flagship" or "reference devices" like Nexus or Galaxies. Think about the mid and low range Androids that make up the bulk of the market and look at the average length of support (in terms of software updates) for those devices. The high end devices tend to be actively supported for much longer than where the real middle of the belle curve market is at. Especially if the device is purchased late in the retail shelf life of the device. Perhaps a "rule" like: "full software update support available for 2 years from date of purchase" is required, perhaps to be imposed from above on carriers and OEMS?

Re:What benefit to announcing it?

[macs4all]

My Nexus 4 is still getting the latest OS updates even though it is several years old, and the Nexus 5 is as well. The main reason the Galaxy Nexus isn't getting further support is likely because the chipset manufacturer has exited the market entirely. Don't forget that Google does not make the hardware themselves, unlike Apple.

Interesting. I may stand corrected. I saw somewhere else in this thread that Google was dropping support for earlier Nexi models with the release of Android "M". But in typical Slashdot fashion, I can't find the comment again...

Re:What benefit to announcing it?

[macs4all]

Where is the support for Apple PPC products? Nonexistent? oh yeah, they really keep things up to date! No worries!

The simple fact is, Apple expects every single one of their plebs to buy the latest hardware every few years. Fucking hell, their whole business model depends on it.

Um, Apple made the switch to Intel in 2006, NINE YEARS AGO. The switch was announced on June 6, 2005.

I happen to have a G5 1.8 Dualie that I purchased new in April 2005, about 2 mos. before the announcement of the Intel Switch (Grrr!). When they switched, the current version of OS X (which was available for both PPC and Intel in separate versions) was 10.4 (Tiger). My G5 still works fine on 10.5 Leopard (which was released on 10/26/2007 as a Universal Binary). They issued periodic Updates for the Applications and OS 10.5 up through the launch of 10.7 Lion on 7/20/2011, and even issued a few critical Security Updates after that.

As far as Application Development, for example, the first Intel-Only version of Logic Pro, 9.1 was released on 1/12/2010. The previous version, Logic Pro 9.0, announced on 7/23/2009, was a Universal Binary. The last version of iTunes to support PPC (and Intel) was 10.6.3 (released sometime in 2011, I think). I can't find an exact release date for the next version of iTunes (the first version to be Intel-Only), but it appears to be sometime in 2012. Et cetera.

Apple stopped providing automatic downloads for Updates through their Software Update service for MacOS 9 (Classic) and OS X versions 10.0 through 10.3 (and related Applications) on 7/31/2012, although they are still available through Apple's "Downloads" Page. I presume that Updates for OS X versions 10.4 and up, including the PPC versions (and related Applications) are still available automatically through Software Update.

So, we can legitimately call it from 2005 to 2012 (there was a Security Update to iTunes 10.6.3 on 6/12/2012, which appears to be the latest PPC-based Security Update to any Apple Software) before Apple actually dropped all development for, and support of, PPC Macs. SEVEN YEARS is pretty damned good, IMHO.

So, IOW, it seems like Apple "Expects" you to buy new Hardware about every SEVEN years. Yeah, that's really "pushy" in the Computer universe. Yeah, right.

Re:What benefit to announcing it?

[cynicist]

Oh, no one knows either way about Android M support right now. I've seen lots of speculation and people talking about device strings but none of it seems concrete to me. I just meant that so far my Nexus 4 is on the same version of Android as my Nexus 6, and with some luck it will continue to be supported through M. (It's already long past Google's 18-month or so support window)

Re:What benefit to announcing it?

[macs4all]

Oh, no one knows either way about Android M support right now. I've seen lots of speculation and people talking about device strings but none of it seems concrete to me. I just meant that so far my Nexus 4 is on the same version of Android as my Nexus 6, and with some luck it will continue to be supported through M. (It's already long past Google's 18-month or so support window)

Whoa, Nelly!!!!

So, even the vaunted support for the Nexus brand is only "Guaranteed" for a year and a half?!?

FFS, Apple is still supporting (even up through the current version, iOS 9) my iPad 2, which was first sold on March 11, 2011, over FOUR years ago (a millenia in mobile-device-years). Apple has even released versions of iOS specifically targeted at improving performance on the iPad 2.

Similarly, Apple also still supports (even up through the current version, iOS 9) my iPhone 4s, which was released on October 4, 2013, the day before Jobs' death. In fact, I often thought that the real, "secret" reason behind the model name "4s" was "for Steve", "3GS", etc. notwithstanding.

And I believe there was even a relatively-recent "Security Update" for the iPhone 3GS, which was introduced on June 8, 2009. Support ended for the 3GS on or around September 12, 2012.

As far as standalone Security Updates, in May, 2011, Apple patched versions of iOS back to iOS 3.0 with their iOS Update 5. Quite frankly, I don't understand that Security Update, especially considering there is an Apple document dated April, 2015 that talks about it.

Re:What benefit to announcing it?

[cynicist]

Your reaction is strange to me. Apple has no guaranteed support period as far as I am aware. And again, my Nexus 4 (3 years old by now) is still receiving updates. This is on top of the fact that Google does not even manufacture their own hardware.

And it's not like the OS updates you are talking about are exactly Apples to Apples. What features does Android drop to ensure compatibility with older devices? And Apple? Anyway, I think I understand what your response was about. Take care.

/system/lib/libstagefright*

[emil]

The problem appears to lie in one of the files /system/lib/libstagefright*

NPR is saying that Google Hangouts makes the problem worse:

The messaging app Hangouts instantly processes videos, to keep them ready in the phone's gallery... this setup invites the malware right in. If you're using the phone's default messaging app, he explains, it's "a tiny bit less dangerous." You would have to view the text message before it processes the attachment. But, to be clear, "it does not require in either case for the targeted user to have to play back the media at all," Drake says.

It would appear prudent to uninstall Google Hangouts. If you can disable MMS with your carrier, do so, otherwise do not look at text messages from originators that you do not know - delete the conversations.

Carriers are unlikely to patch (look at SamsungIME.apk if you think OEMs or carriers will lift a finger to help us).

Root your phone, and await a new set of /system/lib/libstagefright* files - Cyanogenmod will likely provide KitKat copies if they ever shirk their laziness long enough to deliver the final promised KitKat milestone.

Re:/system/lib/libstagefright*

"The messaging app Hangouts instantly processes videos, to keep them ready in the phone's gallery... this setup invites the malware right in."
Just goes to show that Google once again designs for convenience at the risk of privacy and security.

Re:/system/lib/libstagefright*

Kind of surprising this isn't already patented by Apple.

Re:/system/lib/libstagefright*

[GNious]

If you can disable MMS with your carrier, do so, otherwise do not look at text messages from originators that you do not know - delete the conversations.

While seems like generally prudent step, in this case...

lets attackers compromise a device through a simple multimedia text — even before the recipient sees it.

Re:/system/lib/libstagefright*

[Overzeetop]

"Root your phone, and await a new set of /system/lib/libstagefright* files"

I'm actually kind of hoping this is a viable option. I dread the idea of re-installing my phone from scratch, but a drop-in replacement for the affected files would certainly be welcome.

Re:/system/lib/libstagefright*

[arkane1234]

Nah, Hangouts is owned by Google, you're okay.

Re:/system/lib/libstagefright*

[CylanR77]

They just haven't been paying attention to their history lessons.

Outlook used to do the same sort of thing, with similar results: it would automatically display emails and certain attachments, and it turns out that some types of media or emails could have had malware embedded in them...

But hey, that was over ten years ago so surely this sort of problem could never come up again, right?

Re:/system/lib/libstagefright*

[buckfeta2014]

It still works... you embed an image with a url to a php script. Image gets loaded on the client, and the remote luser gets all the goodies that come with an internet fetch. (IP, client software and version, etc)

Re:/system/lib/libstagefright*

[macs4all]

Root your phone, and await a new set of /system/lib/libstagefright* files - Cyanogenmod will likely provide KitKat copies if they ever shirk their laziness long enough to deliver the final promised KitKat milestone.

So, what do you suggest for the 99.99999997% of the Android Users that wouldn't know how to "root your phone" or even what that means?

Oh, I know: They're just stupid LUsers that deserve to be pwned, right?

Re:/system/lib/libstagefright*

The main option is to buy a new phone, one that will be updated with security updates from a carrier/manufacturer that cares.

Re:/system/lib/libstagefright*

[macs4all]

The main option is to buy a new phone, one that will be updated with security updates from a carrier/manufacturer that cares.

IOW, an iPhone, period.

Re:/system/lib/libstagefright*

[drinkypoo]

I'm actually kind of hoping this is a viable option. I dread the idea of re-installing my phone from scratch, but a drop-in replacement for the affected files would certainly be welcome.

Probably not. libstagefright is, nominally, per-GPU. Every GPU vendor would have to roll their own. And then it would have to be tested... It's just not going to happen at all. Everyone is going to say "time to move on" and blame the vendors. The vendors will blame the GPU makers...

Re:/system/lib/libstagefright*

Or... you could opt for a truly out-of-the-box-secure device and get a BB10.3 Blackberry...

Re: /system/lib/libstagefright*

Drake is not only a rap star, but now also works in security? Busy guy!

Re:/system/lib/libstagefright*

Can I get it with an Apple logo on it?

Re:/system/lib/libstagefright*

I know far too many people (about 75% of users that I know) that have had their iPhones permanently bricked due to the (patched, but only updated on ~2% of iPhones) SMS exploit. I must say, a factory reset to clean up an exploit is preferable to buying an entirely new phone. Most people agree with me.

Re:/system/lib/libstagefright*

Or just deselect the option in Hangouts to process MMS messages immediately.

Re:/system/lib/libstagefright*

http://www.theregister.co.uk/2015/04/22/apple_no_ios_zone_bug/

Re:/system/lib/libstagefright*

[rhazz]

Or you could just install the older "Messaging" application and switch the default messaging app. I bought a new phone last week and it asked me when initializing to confirm Hangouts as the default messaging app. I didn't really know much about Hangouts - I tried it, it was terrible, so I quickly got the older "Messaging" app from the play store and updated the settings. Very easy to do. I assume you can still be attacked by getting a Hangout message, but I assume that requires more knowledge about your target than just their phone number.

Re: /system/lib/libstagefright*

This isn't a Hangouts bug, otherwise Google could just send out an update and be done with it. No the Stagefright media app is way down in the OS itself. Theoretically any app that calls Stagefright could be an opening for attack. So the older messaging app, as well as any app that handles SMS, and maybe even any app that uses Stagefright (WhatsApp, Facebook Messenger, etc.?).

Re:Android versions prior to Jelly Bean, version 4

Hmm, the article suggests that we must consider ALL devices to be open to this attack, and later states that quote you provided. So are builds above 4.1 already fixed? I'm running the S4 stock 5.0.1 and yes, it took Samsung forever to get that released compared to the google release of the code.

I'll have to take a look at the CVEs myself as the article seems to leave me in conflict, either all devices are waiting for a patch, or devices below 4.1 need it.

Re:Android versions prior to Jelly Bean, version 4

[itamihn]

This sounds far less than the 95% of Android devices stated in the article. It would affect 11% of users (http://developer.android.com/about/dashboards/index.html).

Im on Lolipop, so it doesnt affect me

because my android tablet is so slow its completely useless now.

Re:Im on Lolipop, so it doesnt affect me

[Zanadou]

Nexus 7, original (2012) version?

value on black market

[edxwelch]

So, remote execution vunerbility on nearly 1 billion devices...
I wonder how much they would have made if they had sold it on the black market, instead of telling Google about it?

Re:value on black market

Why even sell it? Exploit it and profit beyond what any human could imagine.

Fortunately some people have morals. :/

How to fix it.

Please give me your phone numbers so I can text you the fix for this issue.

Re:How to fix it.

127 0 0 1

Re:How to fix it.

[JBallz]

867-5309

Re:How to fix it.

So that's what the J stands for!

Re:How to fix it.

(844) 387-6962

Re:How to fix it.

[vettemph]

I got it.

Re:How to fix it.

(202) 324-3000

Re:How to fix it.

*copy-paste's number into Google*

I got it too!

Re:How to fix it.

[antdude]

911 :P

NuPlayer

[brunes69]

It is unclear to me from these articles or any research I was able to do, if you are vulnerable to this exploit if you use Lollipop which uses NuPlayer by default, not Stagefright.

Re:NuPlayer

[IamTheRealMike]

Don't worry, NuPlayer is sure to have its own unique collection of buffer overflows!

HTC - throw away your phone

"Google informed HTC of the issue and provided the necessary patches, which HTC began rolling into projects in early July. All projects going forward contain the required fix."

I presume that means that if you buy a new HTC phone you'll get the patch. If you currently own one, you're probably SOL.

Re:HTC - throw away your phone

[Tough+Love]

If you own an old one you are SOL. HTC typically provides a few OTA updates per model.

Google dropped the ball being too permissive

If Windows or Linux or Unix or any other manufacturer of an operating system had put the ability and responsibility for patching the OS in the hands of the device manufacturers or the ISPs or anybody else, they would all have the same problem that Android is suffering.

Android gets tarnished, not because Google is lax in the updates, but because Google allowed the carriers/device manufacturers to take ownership for patching devices. At least MSFT was smart enough not to leave that up to Dell, Acer, Compaq, HP, etc.

Google should draw a line in the sand and say going forward they will issue the patches and the carriers have to enable that on new devices or they can't play with Android toys.

Re:Google dropped the ball being too permissive

How well does fly with that whole 'open source' concept? That sounds more like Microsoft.

Re:Google dropped the ball being too permissive

Thats not how open source works though. You cannot force downstream projects to pull upstream fixes.

Re:Google dropped the ball being too permissive

[0123456]

Except Google don't even keep updating their own devices. Last I heard, it sounded like they're tossing several Nexus devices out the window with Android M.

Much as I hate to do so, I'll be replacing my Nexus 7 with an iPad when Google obsolete it. I'm sick of Android's hopeless lack of security, lack of permission controls, and lack of updates.

Re:Google dropped the ball being too permissive

Enjoy getting updates that cripple your device while still being vulnerable to web/etc based root vulnerabilities.

Re:Google dropped the ball being too permissive

[0123456]

Enjoy getting updates that cripple your device while still being vulnerable to web/etc based root vulnerabilities.

Just like Android, then.

Except you can keep installing the updates until the device is simply too outdated to run them.

Re:Google dropped the ball being too permissive

[macs4all]

Thats not how open source works though. You cannot force downstream projects to pull upstream fixes.

Like Android is Open Source, anyway. Just TRY to get ALL the Source for your nice Galaxy 6.

Re:Google dropped the ball being too permissive

What if I could just choose what software I wanted on my phone, like I can on a PC? Nah, that would be ridiculous!

Re:Google dropped the ball being too permissive

[Tough+Love]

At least MSFT was smart enough not to leave that up to Dell, Acer, Compaq, HP, etc.

Well... but Microsoft's devices are still the ones that regularly end up so infested with malware they aren't usable at all, except perhaps for malware distribution. Maybe not the best model to emulate.

Re:Google dropped the ball being too permissive

Google's official line is that Nexus devices will get OS updates for 2 years, and security updates for 3.

This seems quite similar to Apple's support policy; if you read the small print, then you'll notice that many of Apple's current features are only available on iPhone 5 or later.

Re:Google dropped the ball being too permissive

[the_B0fh]

Do you even understand what open source is? Just means source is available. Nothing to do with whether you can pull fixes, etc.

And Google can force them because the manufacturers have signed an agreement with Google.

Re:Google dropped the ball being too permissive

Sure, it's right here. Check out XDA devs, there are tons of ROMs built off of AOSP.

Any other uninformed comments you want to make, Crapple shill?

Re:Google dropped the ball being too permissive

[macs4all]

Sure, it's right here. Check out XDA devs, there are tons of ROMs built off of AOSP.

Any other uninformed comments you want to make, Crapple shill?

So why isn't this whole StageFright vulnerability a non-issue? (Which it isn't).

Because pretty much most of the whole Android Userbase DOESN'T even know what ROOTING is, let alone how to do it, or how to install a custom ROM without borking their device.

So, even if there ARE custom ROMs available (that you can trust!!!) for a given device, only a vanishingly small percentage of the Android Userbase knows how to take advantage of them.

I'm on Gingerbread, so...

[Qzukk]

I'm pretty fucked if anyone wants to pwn my Sprint HTC Evo 4G.

Re:Android versions prior to Jelly Bean, version 4

[jpyeck]

I interpreted this sentence to imply that these versions (prior to 4.1) can not even be PATCHED. Poorly worded to say the least.

Are you safe if you turn off your data plan?

[GoodNewsJimDotCom]

I have my data plan turned off. When I receive multimedia texts, it receives nothing but a message prompting me to download it, but it doesn't actually download anything.

Re:Are you safe if you turn off your data plan?

Don't visit websites, don't play any games that display ads, don't ever download multimedia texts (they download via wifi as well) Essentially your smartphone cannot be a smartphone safely until this is patched. As I for one do not trust ad providers to screen their media for exploits.

Re:Are you safe if you turn off your data plan?

[macs4all]

Don't visit websites, don't play any games that display ads, don't ever download multimedia texts (they download via wifi as well) Essentially your smartphone cannot be a smartphone safely until this is patched.

My iPhone can.

I don't have a Nexus 6 (shifty eyes)

I am disappointed to read that Google hasn't even patched its Nexus line yet. Theoretically, if I had a Nexus 6, I would be pissed that my Nexus 6 wasn't patched yet. Good thing I have an iPhone (shifty eyes), so don't bother texting me this exploit.

Android in a car?

[used2win32]

We see reports here is exploits like this or RSC Android last week (Link), the reports more than 99% of all mobile malware targeting Android (Link) etc., and it makes me wonder... Why would anyone trust a vehicle running Android?

If your phone stops working you can get another one (less than 1% of mobile malware targets Apple iOS, Windows and Blackberry combined), if your car stops working or gets hacked, it can kill you. Just wait until the first time the brakes are not available until you pay the ransomware (Link) money.

Disclaimer: I am the user of an old dumb phone, it is not very smart...

Re:Android in a car?

Uconnect is Blackberry. Drivers of UConnect enabled cars/trucks are still hackable.

Re:Android versions prior to Jelly Bean, version 4

It's a mix of two factors:
1) Fixes are available for 4.1 and up, *but*
2) Virtually no phones have *received* the patch, because it has to flow through the manufacturer, and they simply don't *care* about updating any phone which isn't currently their flagship model.

Unpaid Blackberry shill...

[Rigel47]

Yep, gonna be that annoying SoB and just make note that my BlackBerry z10 has had no ridiculous remote exploit vulnerabilities like this, has the worlds best messaging platform (BlackBerry Hub), awesome battery life, a rock-solid OS that multi-tasks like a dream. And it can run most all Android apps (though they are sandboxed to prevent their many flaws from compromising the rest of the system).

Now bring on the BB bashing!

Re:Unpaid Blackberry shill...

Now bring on the BB bashing!

Not really much fun picking on you and the three other BB users around here...

Re:Unpaid Blackberry shill...

Or it has them and no white hats are even bothering to find/report/fix them due to its abysmally low market share and almost-ensured eventual death.

Re:Unpaid Blackberry shill...

At what age do you expect to outgrow the need to compare dick sizes?

Re:Unpaid Blackberry shill...

Kinda my point.. everyone picks iOS or android like there are no other options. Thanks but no thanks.

Re:Unpaid Blackberry shill...

Oi! Make that *FOUR* BlackBerry users!

Quite handy to have a phone you can switch back to though - it does do messaging/social really well, even if they did have an odd design for the passport.

Once this blows over I'll probably go back to my S6 Edge. Unfortunately I have the need to trust the data on my phone is safe (kinda stupid tbh, given it's an always-connected device)

That's why....

[cooperaaaron]

I will never get anything other than a NEXUS !!!!

Re:That's why....

[macs4all]

I will never get anything other than a NEXUS !!!!

Hopefully not a NEXUS 5; because the Googles aren't fixing that, either.

How does this differ from installing FB client?

[See+Attached]

Who hasn't given up any expectation privacy when installing apps that want to pull your contact list, accounts, bloody everything? Then on the logistics front: the play store provides updates to hangout. Why would vendor (ex: Samsung, Verizon, Motorola) need to provide a patch? Is this core functionality the issue? Would seem the next time Play store wants to update Hangouts, in goes the patch. Is this just -another- slow press day when we are all supposed to be afraid, and pay attention to the media?

Re:How does this differ from installing FB client?

[mr_mischief]

The vulnerability isn't in Hangouts. It's in Stagefright, which is a media library. Hangouts is only important here because it uses Stagefright in a way that exacerbates the issue. You can't fix Stagefright by updating Hangouts. You have to update Stagefright, which is part of the OS rather than part of an app.

Re:How does this differ from installing FB client?

[See+Attached]

Ok, thanks for the clarification. Sounds like an FTC issue then... as we are paying our carriers to provide service and support. Thats the expectation anyway. Is the real-world fix then to root the phone, delete stagefright libraries, while we wait for this long suspected vulnerability to get fixed by our carrier? This is a long recognized issue, shame on the Android Ecosystem for not having a solution now that day 1 is upon us. What do we lose if we root/delete the stagefright libraries? All multimedia ? Multimedia in Text?

Re:How does this differ from installing FB client?

[alanxyzzy]

What do we lose if we root/delete the stagefright libraries?

On my Nexus 7 tilapia / Cyanogenmod, 2015-07-26 snapshot I believe, I tried
su -
mount -o remount,rw /system
cd /system/lib
mkdir sf.bak
mv libstagefright* sf.bak

Tried a couple of apps, seemed OK, so re-booted.

Hung on the boot spinner, didn't get as far as prompting to decrypt the user partition

Re:How does this differ from installing FB client?

[mr_mischief]

I'm afraid I don't know exactly what will fail without the libraries. I'd think if you've got your phone rooted you'd just want Google's patch that your carrier hasn't sent you yet.

Hangouts can not be removed

[erice]

It would appear prudent to uninstall Google Hangouts.

Prudent but not always possible. On some versions of Android, Google Hangouts is a system app part of the os image. It can not be uninstalled. Only updates can be uninstalled, which is not helpful in this case.

This is not the case of my old phone. It runs Gingerbread and Hangouts did not exist when Gingerbread came out. It also not true of my new phone. I'm running a third party "debloated" version of Lollipop that omits Hangouts and other not-necessarily desired apps from the image.

Re:Hangouts can not be removed

[bemymonkey]

You can disable system apps in the last few Android versions. This doesn't uninstall them, but it does prevent them from running.

Re:Hangouts can not be removed

[Kernel+Kurtz]

I used Titanium Backup on my rooted phone to "freeze" Hangouts, since I can't uninstall it.

Re:Android versions prior to Jelly Bean, version 4

[dsparil]

Versions before 4.1 are extra vulnerable because stagefright has more privileges in those versions; I think the difference is that stage fright is sandboxed in 4.1+, but not in previous versions. So, 4.1+ is limited, an understatement, to unfettered access to the camera, microphone and storage barring the use of an additional exploit. 4.0- is totally screwed.

boohoo

So Lollipop is unaffected, all recent builds of CyanogenMod and pretty much all non-stock AOSP roms are unaffected. That "up to 950 million" number looks a little bullshitty...

Re:boohoo

[steveg]

Where did you hear that Lollipop was unaffected or that *any* non-stock AOSP ROMs are unaffected?

According to the article, there have been *some* mitigation features in all versions Jellybean and later, but that even the Nexus 6 with the latest firmware has only blocked *some* of the vulnerabilities.

Re:boohoo

[cant_get_a_good_nick]

Old versions of Android are not only affected, but less sandboxed. Android phones don't get updates that often. There are huge numbers of phones 4.x, much less Lollipop.

Root your device. Do not purchase locked devices.

[emil]

If you have rooted your device, you can remount /system in read-write mode, and from there you can remove any file in /system/app (thus removing Google Hangouts if it was installed in this location).

Google, the OEMs, and the carriers have formally abdicated any security stewardship for Android (case in point - Towelroot).

If you wish to maintain a secure Android device, you must root it yourself. No one else can or will help you until you root.

Mitigation

[XXeR]

"There are some mitigations, for example, in Google Hangout settings, a user is able to request that MMS messages are not automatically downloaded."

Source: https://threatpost.com/android...

Re:Mitigation

[macs4all]

"There are some mitigations, for example, in Google Hangout settings, a user is able to request that MMS messages are not automatically downloaded."

Source: https://threatpost.com/android...

What about the setting that keeps MMS messages from being accidently downloaded? Where's that setting?

Oh, wait...

Re:Root your device. Do not purchase locked device

[jenningsthecat]

Even root access won't save my HTC Desire 510. Whenever I mount the system as read-write and remove files, (such as Facebook and Twitter .apk and .odex files), or even change files, (such as that stupid MP3 the phone plays while the screen says 'Quietly Brilliant'), HTC oh-so-helpfully restores them for me at the next cold boot, whether or not there's any network access. I'd love to install Cyanogenmod, but there's no fully functional ROM available for my phone.

Re:Root your device. Do not purchase locked device

[macs4all]

If you wish to maintain a secure Android device, you must root it yourself. No one else can or will help you until you root.

So, IOW, for the 99.999999997% of Android Users that don't even know what "rooting" is, let alone how to do it, they are simply SOL until they purchase an iPhone.

Re:Android versions prior to Jelly Bean, version 4

[macs4all]

It's a mix of two factors: 1) Fixes are available for 4.1 and up, *but* 2) Virtually no phones have *received* the patch, because it has to flow through the manufacturer, and they simply don't *care* about updating any phone which isn't currently their flagship model.

How's that iPhone sounding about now? At least THEY patch vulnerabilities several models back, and overall, pretty fast, too.

Re:Root your device. Do not purchase locked device

[emil]

Try installing zero-size files of the same name. Set the permissions to 000, and apply the immutable bit (chattr +i). The chattr command is bundled with the SuperSU; it is also included with busybox.

In the ksh, applying the output redirection operator to a file without a preceding command will serve to truncate the target file (i.e.: > facebook.apk).

Very true...

[emil]

...and I hope the class action lawsuits provide a useful object lesson to the Android marketplace about the importance of security patches. The more vendor agony, the better at this point.

A bunch of people...

[ckatko]

A bunch of people here are all saying "vendors don't give a crap.", but I got a nag screen for a security update a few days ago on my Samsung S5, and if that addresses this issue, then they fixed it before I even knew there was a problem.

How is this a problem?

I mean, every, single, time I bring up the topic of mobile device (in)security to, well, virtually anyone not employed in an IT Department, they get a bit of a glazed look in their eye, and a puzzled expression on their face and usually announce/ask, "wtf do I care?"

NOBODY outside of professional IT people give a rat's ass about mobile device security... as long as their latest brainless app/game du jour works and keeps them entertained, the rest of the world can rot.

This is most clearly evidenced by the lack of uptake with the BB10 mobile OS: out of the box it's THE MOST secure operating system for mobile devices currently available in retail, but it has virtually no uptake because of apps and because nobody gives a rats ass about security anymore....

-AC

Re:Root your device. Do not purchase locked device

[emil]

Also try making the file as a directory, and/or installing it as the null device file. On my Android, based on the directory entry for /dev/null, I might install an alias for it as mknod c 1 3 /system/app/facebook.apk

You joke, but maybe this is what needs doing

[PeterM+from+Berkeley]

It's questionable ethics to fix a security flaw for someone by hacking into their system to fix it, but it DOES seem preferable to have a white-hat text patches out to everyone prior to exploit by a bad actor, especially if the fix is relatively simple and low-risk.

Better yet would be if the vendors just took care of it, of course, but given their lack of motivation and alacrity.....

--PM

Re:You joke, but maybe this is what needs doing

[Qzukk]

Better yet would be if the vendors just took care of it, of course, but given their lack of motivation and alacrity

Perhaps the first step could be to hack the execs' phones and make them send text messages out to all the employees telling them that this patch needs to be pushed ASAP.

Re:You joke, but maybe this is what needs doing

[Lord+Duran]

And who would compensate me for time and money lost when the white-hat "fix" bricks my phone out of the blue?

Re:Root your device. Do not purchase locked device

If you wish to maintain a secure Android device, you must root it yourself. No one else can or will help you until you root.

So, IOW, for the 99.999999997% of Android Users that don't even know what "rooting" is, let alone how to do it, they are simply SOL until they purchase an iPhone.

I'm sure the attention this will be receiving from the media will force the vendors to patch this. They wouldn't want a massive turnover to iPhone because they were too lazy to provide a simple patch,

Re:Android versions prior to Jelly Bean, version 4

It's a mix of two factors:
1) Fixes are available for 4.1 and up, *but*
2) Virtually no phones have *received* the patch, because it has to flow through the manufacturer, and they simply don't *care* about updating any phone which isn't currently their flagship model.

How's that iPhone sounding about now? At least THEY patch vulnerabilities several models back, and overall, pretty fast, too.

Google patched it back in April. The manufacturer's of the phone's are now responsible for providing it to you.

iPhone isn't any faster. There were multiple exploits and problems that went for months until they made headlines. Plus with this information any user can root their phone and fix it. That's not something that be easily done with an iPhone.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Drake noted

Who knew Drake was so big into network security? He's quoted in TFS!!!

Re:Root your device. Do not purchase locked device

[macs4all]

I'm sure the attention this will be receiving from the media will force the vendors to patch this. They wouldn't want a massive turnover to iPhone because they were too lazy to provide a simple patch,

How much would you like to lose on that bet?

Re:Android versions prior to Jelly Bean, version 4

[Karlt1]

The difference is that when Apple patches a security flaw, every semi-current iPhone user worldwide can install the patch and Apple usually patches the current version and one version back. For instance, the "goto fail" security patch that was released in March 2014 patched every phone back to iPhone 3GS in 2009 (patch for 6.x) and IOS 7.

Re:Android versions prior to Jelly Bean, version 4

[macs4all]

Google patched it back in April. The manufacturer's of the phone's are now responsible for providing it to you.

No, you mean the CARRIER'S are now "responsible" for providing it to you; since THEY are the final arbiters of what code runs in your phone.

iPhone isn't any faster. There were multiple exploits and problems that went for months until they made headlines.

1. There is no company called "iPhone". Just like there is no company called "Android".

2. Citation, please?

Plus with this information any user can root their phone and fix it.

No. With this information, some Slashdot readers can root their phone and fix it. For those who even HAVE a "rootable" Android phone, the vast majority wouldn't even know how to look up how to root their Android device, let alone be able to actually do it without bricking their phone, or something else equally entertaining (but unhelpful).

Can we confirm?

[emil]

What is the impact if other media.stagefright* entries are disabled? I see a long list.

Re:Can we confirm?

http://fkwon.blogspot.com/2011/05/android-toggle-stagefright.html

You're safe really

because ONLY haxx0rz can use this, and there aren't so many of them. After all, how many cyber bogey men can you find in your local cyber space interweb?

Re:Root your device. Do not purchase locked device

[jenningsthecat]

Thanks emil, I'll try those things. I already set the perms to 000, and that didn't work, but I've never heard of the 'immutable bit' before - have to check that one out. Can I do it from Root File Explorer, or do I need to get to a terminal?

I'll try the folder idea first, as it's easy and I've previously used it on my Linux boxen to get rid of the 'Recently Used' file.

Google Messenger

Grab Google Messenger off of Google Play
https://play.google.com/store/apps/details?id=com.google.android.apps.messaging

Open it, go into Settings.

Make it your Default SMS app.
Click Advanced
    Uncheck "Automatically retrieve MMS messages"

If it hasn't retrieved it, it can't parse / process it, right?

Enjoy the clean awesomeness that is Google Messenger. Grab their keyboard and launcher while you are at it.

Can it fit in a Tweet?

If we're now using Tweet to mean a small amount of text we need to know how big this is in the new unit of measure.

Re:Can it fit in a Tweet?

[cant_get_a_good_nick]

not quite what you meant, but a tweet of a malicious video can do this.

Mild irony if Google becomes a vector for pwning android phones with bad videos. If I was a youtube engineer, i'd be working overtime to create a filter for bad filters.

immutable

[emil]

You might try creating it as a directory first - you're trying to sabotage whatever script is running that restores these files, and the simplest sabotage is the best.

Here is the description of the immutable flag from the chattr man page:

A file with the 'i' attribute cannot be modified: it cannot be deleted or renamed, no link can be created to this file and no data can be written to the file. Only the superuser or a process possessing the CAP_LINUX_IMMUTABLE capability can set or clear this attribute.

Re:immutable

[righteousness]

None of your suggestions would work unless the phone is modded to S-Off mode to remove the write protection. What actually happens in S-On mode, which is the default, is that any change to the system files is actually made to a copy-on-write virtual filesystem. This virtual filesystem is reset on every boot so you'd get back to where you started. So there's no script that is run to restore the files as you assumed because the files are never touched in the first place.

Re:Android versions prior to Jelly Bean, version 4

You're a fucking idiot.

Re:Android versions prior to Jelly Bean, version 4

The data comes from the app store, from only a 7-day period. People buying lower-end phones (often featuring older versions of Android) and keeping them longer, are much more likely to use less features, less often, than others... These stats are more about "which versions to target, when aiming for rich people using their phone a lot"...

Re:Root your device. Do not purchase locked device

[Vitriol+Angst]

they are simply SOL until they purchase an iPhone.

I seem to remember reading that in the Android support manual.

Re:Root your device. Do not purchase locked device

If you wish to maintain a secure Android device, you must root it yourself. No one else can or will help you until you root.

So, IOW, for the 99.999999997% of Android Users that don't even know what "rooting" is, let alone how to do it, they are simply SOL until they purchase an iPhone.

Not everybody can afford Apple's enormous price premium (yes just look at the huge profit margin).

Re:Root your device. Do not purchase locked device

So, IOW, for the 99.999999997% of Android Users that don't even know what "rooting" is, let alone how to do it, they are simply SOL until they purchase an iPhone.

You should be happy that there are Android users, if everybody was an iDrone (I don't mean that to be particularly derogatory -- in fact I am one myself -- just that we all use the same phone which is the complete anti-thesis of the original 1984 marketing spiel) then Apple's products would suffer due to being hit with anti-trust suits. Their anti-competitive behavior of private APIs, arbitrarily locking competitors out of their platform and product bundling is only allowed because they don't have significant market power.

Re:Android versions prior to Jelly Bean, version 4

How's that iPhone sounding about now?

Why are you so desperate for everybody to use the same phone? Is it that you want validation that you made a good choice? Or you have a vested interest in it?

Re:Android versions prior to Jelly Bean, version 4

[amicusNYCL]

How's that iPhone sounding about now?

Literally exactly the same that it sounded before this was announced. I'm going through my list of all of the reasons why I don't have an iPhone, and this announcement doesn't seem to have changed even a single one of those reasons.

Re:Android versions prior to Jelly Bean, version 4

Why are you so desperate for everybody to use the same phone?

Nobody asked for that. We just want Apple to suffer the death penalty like King Jobs did for going nuclear on patents.

867-5309 (ask for Jenny)

See subject...

APK

P.S.=> That's for anyone here old enough to recall that... apk

Aha! "We have a winner"... apk

Sorry bout that JBallz - you "beat me to the punch" -> http://it.slashdot.org/comment...

* :)

(Nice to see there's somebody here that got that one - even IF it was before me...)

APK

P.S.=> Didn't see yours: In any event? "Onwards & UPWARDS"... apk

Re:Android versions prior to Jelly Bean, version 4

[exomondo]

Google patched it back in April. The manufacturer's of the phone's are now responsible for providing it to you.

That's the problem with the Android ecosystem, Google makes the code change but then the questions of how/when/if that will reach users remain unanswered. Yes Android is open source (well the AOSP is anyway) but Google has the Open Handset Alliance which enforces terms on its members so they can use Google's Android services and get early access to the source code. Part of this contract should be a well-defined mechanism and commitment for getting security updates to users.

When Apple puts out an update for iOS or Microsoft puts out an update for Windows it is available to all users at the same time and getting updated code to users is what matters. Google should be making it work the same way.

Re:Root your device. Do not purchase locked device

[macs4all]

Not everybody can afford Apple's enormous price premium (yes just look at the huge profit margin).

IPhone 6 Plus 64 GB Unlocked, no SIM, direct from Apple: $US849. One Year Apple Warranty.

Samsung Galaxy S6 64 GB Unlocked, "International Version", listed on Amazon: US$815. And this nice disclaimer:"This cell phone may not include a US warranty as some manufacturers do not honor warranties for international version phones. Please contact the seller for specific warranty information."

So, I'm a bit baffled; where's all that "enormous price premium"?

Re:Root your device. Do not purchase locked device

... where they can be perma-bricked by another SMS exploit. Good thinking!

Re:Root your device. Do not purchase locked device

So, I'm a bit baffled; where's all that "enormous price premium"?

Well first let's be clear that Samsung is not the only Android phone manufacturer so comparing just to one Samsung device is not representative of the wider market. Secondly pointing out that Apple has an enormous price premium on the iPhone does not in any way suggest that Samsung does not have an enormous price premium on the Galaxy S6. Thirdly Apple does have an enormous profit margin on the iPhone.

So I'm not sure why you are baffled. Except perhaps your inability to understand that a statement about Apple does not mean that it applies exclusively to Apple and no other company.

Use TextSecure / SMSSecure

[ChoGGi]

It'll give you a warning before stagefright is used

https://github.com/WhisperSyst...
you can find SMSSecure on f-droid

Also check to make sure hangouts isn't using mms (just to be on the safe side)

Re:Android versions prior to Jelly Bean, version 4

[tepples]

1. There is no company called "iPhone".

The legal name of the company is Apple Inc. It has the authority to update system software on iPhone and iPad brand devices. When people refer to "iPhone", they refer to the division of Apple responsible for iOS updates.

Just like there is no company called "Android".

A company called Google Inc. acquired a company called Android Inc. But there is no one entity with authority to update system software on devices. This is delegated to device manufacturers (for Wi-Fi-only tablets) or to carriers (for phones and tablets supporting cellular data service).

Re:Android versions prior to Jelly Bean, version 4

[the_B0fh]

How can pre-Jelly Bean ~= 100 million devices?

This would mean post Jelly Bean ~= 1 billion devices?!?! Not possible.

Everyone is missing the easier fix...

[wbr1]

At least for hangouts (not the built-in messaging app), Google could release an update that does not rely on stagefright.

Re:Android versions prior to Jelly Bean, version 4

No, manufacturers are responsible. Why the fuck would a carrier have anything to do with the OS on *my* phone which another company manufactured?

Re:Root your device. Do not purchase locked device

[macs4all]

So I'm not sure why you are baffled. Except perhaps your inability to understand that a statement about Apple does not mean that it applies exclusively to Apple and no other company.

Nice backtracking.

While I understand it could be about other companies besides Apple, it was obvious to the most casual observer that it was not intended to be about anyone but Apple.

Re:Android versions prior to Jelly Bean, version 4

[macs4all]

No, manufacturers are responsible. Why the fuck would a carrier have anything to do with the OS on *my* phone which another company manufactured?

Because, dimwit, if you have an Android phone, it is the CARRIER that gets the last word on the OS software running in your phone; not Google; and not the phone's manufacturer.

CyanogenMod

[Zanadou]

(Why the HELL are there now TWO front page threads about this??)

I know I'm a bit late to this, but this is what I posted in the other thread:

--

Concerning CyanogenMod, this was posted to their Facebook page a few hours ago:

Recent Stagefright issues

The following CVE's have been patched in CM12.0 and 12.1 nightlies for a couple weeks. If you haven't updated already, we strongly encourage you to do so.

CM11 will see these updates hit as part of out of band fixes this weekend (these releases occur weekly).

CVE-2015-1538
CVE-2015-1539
CVE-2015-3824
CVE-2015-3826
CVE-2015-3827
CVE-2015-3828
CVE-2015-3829

We are actively following all the DefCon events and announcements and will be keeping tabs on other disclosures that could impact CM and its derivatives.

not specially an iphone

[Herve5]

Even without counting non-smart phones (you know, these funny things you put a simcard in and then use to place phone calls), you get for instance Jolla phones, based on Sailfish OS, Blackberry phones, even the (somehow fossil) Openmoko device...

The main issue I feel here is most people want things to be solved, but without losing any comfort, nor even changing OS.
In such a case you are doomed. But not me.

Those around calling for class action etc. are near ridiculous -the answer will simply list the devices above, to dismiss the case...

Re: Root your device. Do not purchase locked devic

So apple convinced you that they have no security vulnerability ??...
Laughable....g