Slashdot Mirror
'Stagefright' Flaw: Compromise Android With Just a Text
An anonymous reader writes: Up to 950 million Android phones may be vulnerable to a new exploit involving the Stagefright component of Android, which lets attackers compromise a device through a simple multimedia text — even before the recipient sees it. Researchers from Zimperium zLabs reported the related bugs to Google in April. Google quickly accepted a patch and distributed it to manufacturers, but the researchers say they don't think the manufacturers have yet passed it on to most consumers.
"The weaknesses reside in Stagefright, a media playback tool in Android. They are all "remote code execution" bugs, allowing malicious hackers to infiltrate devices and exfiltrate private data. All attackers would need to send out exploits would be mobile phone numbers, Drake noted. From there, they could send an exploit packaged in a Stagefright multimedia message (MMS), which would let them write code to the device and steal data from sections of the phone that can be reached with Stagefright's permissions. That would allow for recording of audio and video, and snooping on photos stored in SD cards. Bluetooth would also be hackable via Stagefright."
"The weaknesses reside in Stagefright, a media playback tool in Android. They are all "remote code execution" bugs, allowing malicious hackers to infiltrate devices and exfiltrate private data. All attackers would need to send out exploits would be mobile phone numbers, Drake noted. From there, they could send an exploit packaged in a Stagefright multimedia message (MMS), which would let them write code to the device and steal data from sections of the phone that can be reached with Stagefright's permissions. That would allow for recording of audio and video, and snooping on photos stored in SD cards. Bluetooth would also be hackable via Stagefright."
How can Stagefright be uninstalled / disabled?
My carrier blocks MMS--suck it!
"Android versions prior to Jelly Bean, version 4.1, representing roughly 100 million devices, have “inadequate exploit mitigations” that wouldn’t prevent Stagefright attacks over MMS."
You're welcome.
This group sounds like they acted reasonably and responsibly, letting Google know there was a problem, and submitting good patches to correct the issue.
If, now, there's some other fundamental impediment to distributing a correction to the bug that does not have to do with Google, but rather with the heaploads of cell phone manufacturers who use Google's code and who may or may not have the ability to distribute the fix, why should the vulnerability be made public? I don't see any apparent upside to the public good.
Put my fist through my alarm clock with its ding-dong death inside my ear. - The Blackjacks.
The problem appears to lie in one of the files /system/lib/libstagefright*
NPR is saying that Google Hangouts makes the problem worse:
It would appear prudent to uninstall Google Hangouts. If you can disable MMS with your carrier, do so, otherwise do not look at text messages from originators that you do not know - delete the conversations.
Carriers are unlikely to patch (look at SamsungIME.apk if you think OEMs or carriers will lift a finger to help us).
Root your phone, and await a new set of /system/lib/libstagefright* files - Cyanogenmod will likely provide KitKat copies if they ever shirk their laziness long enough to deliver the final promised KitKat milestone.
This sounds far less than the 95% of Android devices stated in the article. It would affect 11% of users (http://developer.android.com/about/dashboards/index.html).
because my android tablet is so slow its completely useless now.
So, remote execution vunerbility on nearly 1 billion devices...
I wonder how much they would have made if they had sold it on the black market, instead of telling Google about it?
Please give me your phone numbers so I can text you the fix for this issue.
It is unclear to me from these articles or any research I was able to do, if you are vulnerable to this exploit if you use Lollipop which uses NuPlayer by default, not Stagefright.
If Windows or Linux or Unix or any other manufacturer of an operating system had put the ability and responsibility for patching the OS in the hands of the device manufacturers or the ISPs or anybody else, they would all have the same problem that Android is suffering.
Android gets tarnished, not because Google is lax in the updates, but because Google allowed the carriers/device manufacturers to take ownership for patching devices. At least MSFT was smart enough not to leave that up to Dell, Acer, Compaq, HP, etc.
Google should draw a line in the sand and say going forward they will issue the patches and the carriers have to enable that on new devices or they can't play with Android toys.
I'm pretty fucked if anyone wants to pwn my Sprint HTC Evo 4G.
If I have been able to see further than others, it is because I bought a pair of binoculars.
I interpreted this sentence to imply that these versions (prior to 4.1) can not even be PATCHED. Poorly worded to say the least.
I have my data plan turned off. When I receive multimedia texts, it receives nothing but a message prompting me to download it, but it doesn't actually download anything.
God spoke to me
We see reports here is exploits like this or RSC Android last week (Link), the reports more than 99% of all mobile malware targeting Android (Link) etc., and it makes me wonder... Why would anyone trust a vehicle running Android?
If your phone stops working you can get another one (less than 1% of mobile malware targets Apple iOS, Windows and Blackberry combined), if your car stops working or gets hacked, it can kill you. Just wait until the first time the brakes are not available until you pay the ransomware (Link) money.
Disclaimer: I am the user of an old dumb phone, it is not very smart...
Procrastination; I'll think of a sig tomorrow.
It's a mix of two factors:
1) Fixes are available for 4.1 and up, *but*
2) Virtually no phones have *received* the patch, because it has to flow through the manufacturer, and they simply don't *care* about updating any phone which isn't currently their flagship model.
Yep, gonna be that annoying SoB and just make note that my BlackBerry z10 has had no ridiculous remote exploit vulnerabilities like this, has the worlds best messaging platform (BlackBerry Hub), awesome battery life, a rock-solid OS that multi-tasks like a dream. And it can run most all Android apps (though they are sandboxed to prevent their many flaws from compromising the rest of the system).
Now bring on the BB bashing!
I will never get anything other than a NEXUS !!!!
Who hasn't given up any expectation privacy when installing apps that want to pull your contact list, accounts, bloody everything? Then on the logistics front: the play store provides updates to hangout. Why would vendor (ex: Samsung, Verizon, Motorola) need to provide a patch? Is this core functionality the issue? Would seem the next time Play store wants to update Hangouts, in goes the patch. Is this just -another- slow press day when we are all supposed to be afraid, and pay attention to the media?
Time for a new Political party in the US (or two!) One is off the rails Other cant pony up a leader.
It would appear prudent to uninstall Google Hangouts.
Prudent but not always possible. On some versions of Android, Google Hangouts is a system app part of the os image. It can not be uninstalled. Only updates can be uninstalled, which is not helpful in this case.
This is not the case of my old phone. It runs Gingerbread and Hangouts did not exist when Gingerbread came out. It also not true of my new phone. I'm running a third party "debloated" version of Lollipop that omits Hangouts and other not-necessarily desired apps from the image.
Versions before 4.1 are extra vulnerable because stagefright has more privileges in those versions; I think the difference is that stage fright is sandboxed in 4.1+, but not in previous versions. So, 4.1+ is limited, an understatement, to unfettered access to the camera, microphone and storage barring the use of an additional exploit. 4.0- is totally screwed.
If you have rooted your device, you can remount /system in read-write mode, and from there you can remove any file in /system/app (thus removing Google Hangouts if it was installed in this location).
Google, the OEMs, and the carriers have formally abdicated any security stewardship for Android (case in point - Towelroot).
If you wish to maintain a secure Android device, you must root it yourself. No one else can or will help you until you root.
"There are some mitigations, for example, in Google Hangout settings, a user is able to request that MMS messages are not automatically downloaded."
Source: https://threatpost.com/android...
Even root access won't save my HTC Desire 510. Whenever I mount the system as read-write and remove files, (such as Facebook and Twitter .apk and .odex files), or even change files, (such as that stupid MP3 the phone plays while the screen says 'Quietly Brilliant'), HTC oh-so-helpfully restores them for me at the next cold boot, whether or not there's any network access. I'd love to install Cyanogenmod, but there's no fully functional ROM available for my phone.
'The Economy' is a giant Ponzi scheme whose most pitiable suckers are the youngest among us and the yet-unborn.
If you wish to maintain a secure Android device, you must root it yourself. No one else can or will help you until you root.
So, IOW, for the 99.999999997% of Android Users that don't even know what "rooting" is, let alone how to do it, they are simply SOL until they purchase an iPhone.
Where did you hear that Lollipop was unaffected or that *any* non-stock AOSP ROMs are unaffected?
According to the article, there have been *some* mitigation features in all versions Jellybean and later, but that even the Nexus 6 with the latest firmware has only blocked *some* of the vulnerabilities.
Ignorance killed the cat. Curiosity was framed.
Try installing zero-size files of the same name. Set the permissions to 000, and apply the immutable bit (chattr +i). The chattr command is bundled with the SuperSU; it is also included with busybox.
In the ksh, applying the output redirection operator to a file without a preceding command will serve to truncate the target file (i.e.: > facebook.apk).
...and I hope the class action lawsuits provide a useful object lesson to the Android marketplace about the importance of security patches. The more vendor agony, the better at this point.
A bunch of people here are all saying "vendors don't give a crap.", but I got a nag screen for a security update a few days ago on my Samsung S5, and if that addresses this issue, then they fixed it before I even knew there was a problem.
Also try making the file as a directory, and/or installing it as the null device file. On my Android, based on the directory entry for /dev/null, I might install an alias for it as mknod c 1 3 /system/app/facebook.apk
It's questionable ethics to fix a security flaw for someone by hacking into their system to fix it, but it DOES seem preferable to have a white-hat text patches out to everyone prior to exploit by a bad actor, especially if the fix is relatively simple and low-risk.
Better yet would be if the vendors just took care of it, of course, but given their lack of motivation and alacrity.....
--PM
Comment removed based on user account deletion
I'm sure the attention this will be receiving from the media will force the vendors to patch this. They wouldn't want a massive turnover to iPhone because they were too lazy to provide a simple patch,
How much would you like to lose on that bet?
The difference is that when Apple patches a security flaw, every semi-current iPhone user worldwide can install the patch and Apple usually patches the current version and one version back. For instance, the "goto fail" security patch that was released in March 2014 patched every phone back to iPhone 3GS in 2009 (patch for 6.x) and IOS 7.
Google patched it back in April. The manufacturer's of the phone's are now responsible for providing it to you.
No, you mean the CARRIER'S are now "responsible" for providing it to you; since THEY are the final arbiters of what code runs in your phone.
iPhone isn't any faster. There were multiple exploits and problems that went for months until they made headlines.
1. There is no company called "iPhone". Just like there is no company called "Android".
2. Citation, please?
Plus with this information any user can root their phone and fix it.
No. With this information, some Slashdot readers can root their phone and fix it. For those who even HAVE a "rootable" Android phone, the vast majority wouldn't even know how to look up how to root their Android device, let alone be able to actually do it without bricking their phone, or something else equally entertaining (but unhelpful).
What is the impact if other media.stagefright* entries are disabled? I see a long list.
Thanks emil, I'll try those things. I already set the perms to 000, and that didn't work, but I've never heard of the 'immutable bit' before - have to check that one out. Can I do it from Root File Explorer, or do I need to get to a terminal?
I'll try the folder idea first, as it's easy and I've previously used it on my Linux boxen to get rid of the 'Recently Used' file.
'The Economy' is a giant Ponzi scheme whose most pitiable suckers are the youngest among us and the yet-unborn.
You might try creating it as a directory first - you're trying to sabotage whatever script is running that restores these files, and the simplest sabotage is the best.
Here is the description of the immutable flag from the chattr man page:
not quite what you meant, but a tweet of a malicious video can do this.
Mild irony if Google becomes a vector for pwning android phones with bad videos. If I was a youtube engineer, i'd be working overtime to create a filter for bad filters.
Old versions of Android are not only affected, but less sandboxed. Android phones don't get updates that often. There are huge numbers of phones 4.x, much less Lollipop.
they are simply SOL until they purchase an iPhone.
I seem to remember reading that in the Android support manual.
>>"ad space available -- low rates!!!"
How's that iPhone sounding about now?
Literally exactly the same that it sounded before this was announced. I'm going through my list of all of the reasons why I don't have an iPhone, and this announcement doesn't seem to have changed even a single one of those reasons.
"Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
If you own an old one you are SOL. HTC typically provides a few OTA updates per model.
When all you have is a hammer, every problem starts to look like a thumb.
Google patched it back in April. The manufacturer's of the phone's are now responsible for providing it to you.
That's the problem with the Android ecosystem, Google makes the code change but then the questions of how/when/if that will reach users remain unanswered. Yes Android is open source (well the AOSP is anyway) but Google has the Open Handset Alliance which enforces terms on its members so they can use Google's Android services and get early access to the source code. Part of this contract should be a well-defined mechanism and commitment for getting security updates to users.
When Apple puts out an update for iOS or Microsoft puts out an update for Windows it is available to all users at the same time and getting updated code to users is what matters. Google should be making it work the same way.
So, I'm a bit baffled; where's all that "enormous price premium"?
Well first let's be clear that Samsung is not the only Android phone manufacturer so comparing just to one Samsung device is not representative of the wider market. Secondly pointing out that Apple has an enormous price premium on the iPhone does not in any way suggest that Samsung does not have an enormous price premium on the Galaxy S6. Thirdly Apple does have an enormous profit margin on the iPhone.
So I'm not sure why you are baffled. Except perhaps your inability to understand that a statement about Apple does not mean that it applies exclusively to Apple and no other company.
It'll give you a warning before stagefright is used
https://github.com/WhisperSyst...
you can find SMSSecure on f-droid
Also check to make sure hangouts isn't using mms (just to be on the safe side)
1. There is no company called "iPhone".
The legal name of the company is Apple Inc. It has the authority to update system software on iPhone and iPad brand devices. When people refer to "iPhone", they refer to the division of Apple responsible for iOS updates.
Just like there is no company called "Android".
A company called Google Inc. acquired a company called Android Inc. But there is no one entity with authority to update system software on devices. This is delegated to device manufacturers (for Wi-Fi-only tablets) or to carriers (for phones and tablets supporting cellular data service).
How can pre-Jelly Bean ~= 100 million devices?
This would mean post Jelly Bean ~= 1 billion devices?!?! Not possible.
At least for hangouts (not the built-in messaging app), Google could release an update that does not rely on stagefright.
Silence is a state of mime.
So I'm not sure why you are baffled. Except perhaps your inability to understand that a statement about Apple does not mean that it applies exclusively to Apple and no other company.
Nice backtracking.
While I understand it could be about other companies besides Apple, it was obvious to the most casual observer that it was not intended to be about anyone but Apple.
No, manufacturers are responsible. Why the fuck would a carrier have anything to do with the OS on *my* phone which another company manufactured?
Because, dimwit, if you have an Android phone, it is the CARRIER that gets the last word on the OS software running in your phone; not Google; and not the phone's manufacturer.
(Why the HELL are there now TWO front page threads about this??)
I know I'm a bit late to this, but this is what I posted in the other thread:
--
Concerning CyanogenMod, this was posted to their Facebook page a few hours ago:
Recent Stagefright issues
The following CVE's have been patched in CM12.0 and 12.1 nightlies for a couple weeks. If you haven't updated already, we strongly encourage you to do so.
CM11 will see these updates hit as part of out of band fixes this weekend (these releases occur weekly).
CVE-2015-1538
CVE-2015-1539
CVE-2015-3824
CVE-2015-3826
CVE-2015-3827
CVE-2015-3828
CVE-2015-3829
We are actively following all the DefCon events and announcements and will be keeping tabs on other disclosures that could impact CM and its derivatives.
Even without counting non-smart phones (you know, these funny things you put a simcard in and then use to place phone calls), you get for instance Jolla phones, based on Sailfish OS, Blackberry phones, even the (somehow fossil) Openmoko device...
The main issue I feel here is most people want things to be solved, but without losing any comfort, nor even changing OS.
In such a case you are doomed. But not me.
Those around calling for class action etc. are near ridiculous -the answer will simply list the devices above, to dismiss the case...
Herve S.