'Stagefright' Flaw: Compromise Android With Just a Text

An anonymous reader writes: Up to 950 million Android phones may be vulnerable to a new exploit involving the Stagefright component of Android, which lets attackers compromise a device through a simple multimedia text — even before the recipient sees it. Researchers from Zimperium zLabs reported the related bugs to Google in April. Google quickly accepted a patch and distributed it to manufacturers, but the researchers say they don't think the manufacturers have yet passed it on to most consumers.

"The weaknesses reside in Stagefright, a media playback tool in Android. They are all "remote code execution" bugs, allowing malicious hackers to infiltrate devices and exfiltrate private data. All attackers would need to send out exploits would be mobile phone numbers, Drake noted. From there, they could send an exploit packaged in a Stagefright multimedia message (MMS), which would let them write code to the device and steal data from sections of the phone that can be reached with Stagefright's permissions. That would allow for recording of audio and video, and snooping on photos stored in SD cards. Bluetooth would also be hackable via Stagefright."

How to Disable Stagefright?

How can Stagefright be uninstalled / disabled?

Re:How to Disable Stagefright?

Please follow this guide to disable it:
1. Stand up
2. Take phone in hand
3. Take a few steps to the trash bin
4. Throw phone in trash bin

Re:How to Disable Stagefright?

in build.prop, media.stagefright.enable-player=false

Re:How to Disable Stagefright?

[Ukab+the+Great]

Imagining everyone who texts you in their underwear.

Re:How to Disable Stagefright?

[wonkey_monkey]

What are the chances of someone texting me while I'm in their underwear?

-----------------------

Alternative reply: Way ahead of you.

Re:How to Disable Stagefright?

[macs4all]

Please follow this guide to disable it:

1. Stand up
2. Take phone in hand
3. Take a few steps to the trash bin
4. Throw phone in trash bin

That was modded "Funny"; but it's actually True for the vast majority of Android Users.

Android versions prior to Jelly Bean, version 4.1

"Android versions prior to Jelly Bean, version 4.1, representing roughly 100 million devices, have “inadequate exploit mitigations” that wouldn’t prevent Stagefright attacks over MMS."

You're welcome.

What benefit to announcing it?

[pz]

This group sounds like they acted reasonably and responsibly, letting Google know there was a problem, and submitting good patches to correct the issue.

If, now, there's some other fundamental impediment to distributing a correction to the bug that does not have to do with Google, but rather with the heaploads of cell phone manufacturers who use Google's code and who may or may not have the ability to distribute the fix, why should the vulnerability be made public? I don't see any apparent upside to the public good.

Re:What benefit to announcing it?

Vendors like to sit on their hands when there's no direct incentive to do otherwise. Unless there's a deadline where "bad things happen", they'll sit on their hands forever. The public good is that it teaches the vendors that there's consequences to hand sitting.

Re:What benefit to announcing it?

[Bugler412]

Upside would be forcing carriers and OEMS to actually support their product in an ongoing fashion rather than quietly stopping updates shortly after releasing the device, as is the case with many lower end Android devices

Re:What benefit to announcing it?

[mwvdlee]

I don't see any apparent upside to the public good.

If vulnerabilities would never be publically exposed, it would remove incentive to fix the vulnerabilities.
Companies generally don't like to spend money fixing problems that they could far more cheaply deny.
The public good of "public disclosure" is that it makes companies accountable for their (in)actions.

Re:What benefit to announcing it?

[zarmanto]

... the heaploads of cell phone manufacturers who use Google's code and who may or may not have the ability to distribute the fix...

Faulty premise: The issue isn't that they do not have the ability to distribute fixes; it's that they each have different levels of corporate red tape, preventing the expeditious distribution of these fixes. That's been an ongoing problem in the Android market for years, now. Thus, the benefit of this reveal is that, when an exploit hits the wild (and it would have with or without this announcement) these researchers (and Google) can all respond to outraged customers by saying, "Don't blame me! I did my part!" and point their fingers out to the carriers.

Re:What benefit to announcing it?

[brunes69]

I disagree. It will put pressure on all the cell phone manufacturers and carriers to stop dragging their feet and release updates in a timely fashion.

This way Google and the group can say "we warned you" if a bunch of Verizon Samsung customers get exploited because Verizon would not allow the release to be published. No carrier wants that kind of news item.

Re:What benefit to announcing it?

[Overzeetop]

Verizon doesn't give a rat's ass. You want a fixed phone, come by a new one you fucking turd. Oh, and pay more for the service because fuck you. .

To those who believe that when they paid $200 for a phone as a guarantee for being able to pay $600-1000/yr for service: Well, in the immortal words of their spokesperson, "Pray I do not alter [the deal] any further"

Re:What benefit to announcing it?

[cliffjumper222]

Having worked for a phone manufacturer, the biggest red tape of all is the complete lack of budget to pay for maintaining software on a device that has been sold and is generating no revenue after that point. The only companies that make $'s are the carriers, the app sellers and Google. The carriers can and do twist the arm of OEM's to keep SW updated, but I've never heard of a carrier willing to pay a maintenance fee to OEM's for this. Anyone else know if this happens?

Re:What benefit to announcing it?

[macs4all]

Even Apple is not immune to this. Their very expensive disposable shit is not supported forever, and god forbid should an exploit be found then.

NOTHING is supported "Forever". It is simply impractical to do so.

However, if you think the "Support" (or rather, complete lack thereof) that is given to nearly EVERY Android Device has even the SLIGHTEST resemblance to the Support given to iOS devices even several years old (my iPad 2 and iPhone 4s STILL receive OS Updates), you are simply delusional.

Re:What benefit to announcing it?

[Shakrai]

My Western Electric Model 1500 begs to differ.

Re:What benefit to announcing it?

[macs4all]

But the devices won't last forever, so that's not what is being asked of vendors. Support as long as the hardware can reasonably be expected to last in significant numbers is a much shorter period of time and probably not so much of an ask.

If they don't want to commit for that long, perhaps they should advertise their product as disposable.

Your point being?

Apple has hands-down the best track record of supporting less-than-current-generation mobile hardware. Even Google is dropping support for most of the past generations of NEXUS hardware; something they basically stated they wouldn't do.

And as for all the rest of the Android OEMs: Well, they should simply be ashamed of themselves, period.

Re:What benefit to announcing it?

[Tough+Love]

If vendors were even halfway responsible and ethical, the last OTA before dropping support would always always leave the rom unlocked for community maintenance. But vendors are not anywhere near halfway responsible and are more than halfway stupid.

Re:What benefit to announcing it?

[cynicist]

My Nexus 4 is still getting the latest OS updates even though it is several years old, and the Nexus 5 is as well. The main reason the Galaxy Nexus isn't getting further support is likely because the chipset manufacturer has exited the market entirely.

Don't forget that Google does not make the hardware themselves, unlike Apple.

/system/lib/libstagefright*

[emil]

The problem appears to lie in one of the files /system/lib/libstagefright*

NPR is saying that Google Hangouts makes the problem worse:

The messaging app Hangouts instantly processes videos, to keep them ready in the phone's gallery... this setup invites the malware right in. If you're using the phone's default messaging app, he explains, it's "a tiny bit less dangerous." You would have to view the text message before it processes the attachment. But, to be clear, "it does not require in either case for the targeted user to have to play back the media at all," Drake says.

It would appear prudent to uninstall Google Hangouts. If you can disable MMS with your carrier, do so, otherwise do not look at text messages from originators that you do not know - delete the conversations.

Carriers are unlikely to patch (look at SamsungIME.apk if you think OEMs or carriers will lift a finger to help us).

Root your phone, and await a new set of /system/lib/libstagefright* files - Cyanogenmod will likely provide KitKat copies if they ever shirk their laziness long enough to deliver the final promised KitKat milestone.

Re:/system/lib/libstagefright*

[GNious]

If you can disable MMS with your carrier, do so, otherwise do not look at text messages from originators that you do not know - delete the conversations.

While seems like generally prudent step, in this case...

lets attackers compromise a device through a simple multimedia text — even before the recipient sees it.

Re:/system/lib/libstagefright*

[arkane1234]

Nah, Hangouts is owned by Google, you're okay.

Re:/system/lib/libstagefright*

[CylanR77]

They just haven't been paying attention to their history lessons.

Outlook used to do the same sort of thing, with similar results: it would automatically display emails and certain attachments, and it turns out that some types of media or emails could have had malware embedded in them...

But hey, that was over ten years ago so surely this sort of problem could never come up again, right?

Re:/system/lib/libstagefright*

[drinkypoo]

I'm actually kind of hoping this is a viable option. I dread the idea of re-installing my phone from scratch, but a drop-in replacement for the affected files would certainly be welcome.

Probably not. libstagefright is, nominally, per-GPU. Every GPU vendor would have to roll their own. And then it would have to be tested... It's just not going to happen at all. Everyone is going to say "time to move on" and blame the vendors. The vendors will blame the GPU makers...

Re:Android versions prior to Jelly Bean, version 4

[itamihn]

This sounds far less than the 95% of Android devices stated in the article. It would affect 11% of users (http://developer.android.com/about/dashboards/index.html).

value on black market

[edxwelch]

So, remote execution vunerbility on nearly 1 billion devices...
I wonder how much they would have made if they had sold it on the black market, instead of telling Google about it?

How to fix it.

Please give me your phone numbers so I can text you the fix for this issue.

Re:How to fix it.

[JBallz]

867-5309

NuPlayer

[brunes69]

It is unclear to me from these articles or any research I was able to do, if you are vulnerable to this exploit if you use Lollipop which uses NuPlayer by default, not Stagefright.

Google dropped the ball being too permissive

If Windows or Linux or Unix or any other manufacturer of an operating system had put the ability and responsibility for patching the OS in the hands of the device manufacturers or the ISPs or anybody else, they would all have the same problem that Android is suffering.

Android gets tarnished, not because Google is lax in the updates, but because Google allowed the carriers/device manufacturers to take ownership for patching devices. At least MSFT was smart enough not to leave that up to Dell, Acer, Compaq, HP, etc.

Google should draw a line in the sand and say going forward they will issue the patches and the carriers have to enable that on new devices or they can't play with Android toys.

Re:Google dropped the ball being too permissive

Thats not how open source works though. You cannot force downstream projects to pull upstream fixes.

Android in a car?

[used2win32]

We see reports here is exploits like this or RSC Android last week (Link), the reports more than 99% of all mobile malware targeting Android (Link) etc., and it makes me wonder... Why would anyone trust a vehicle running Android?

If your phone stops working you can get another one (less than 1% of mobile malware targets Apple iOS, Windows and Blackberry combined), if your car stops working or gets hacked, it can kill you. Just wait until the first time the brakes are not available until you pay the ransomware (Link) money.

Disclaimer: I am the user of an old dumb phone, it is not very smart...

Re:Android versions prior to Jelly Bean, version 4

It's a mix of two factors:
1) Fixes are available for 4.1 and up, *but*
2) Virtually no phones have *received* the patch, because it has to flow through the manufacturer, and they simply don't *care* about updating any phone which isn't currently their flagship model.

Re:Unpaid Blackberry shill...

Now bring on the BB bashing!

Not really much fun picking on you and the three other BB users around here...

Hangouts can not be removed

[erice]

It would appear prudent to uninstall Google Hangouts.

Prudent but not always possible. On some versions of Android, Google Hangouts is a system app part of the os image. It can not be uninstalled. Only updates can be uninstalled, which is not helpful in this case.

This is not the case of my old phone. It runs Gingerbread and Hangouts did not exist when Gingerbread came out. It also not true of my new phone. I'm running a third party "debloated" version of Lollipop that omits Hangouts and other not-necessarily desired apps from the image.

Re:Android versions prior to Jelly Bean, version 4

[dsparil]

Versions before 4.1 are extra vulnerable because stagefright has more privileges in those versions; I think the difference is that stage fright is sandboxed in 4.1+, but not in previous versions. So, 4.1+ is limited, an understatement, to unfettered access to the camera, microphone and storage barring the use of an additional exploit. 4.0- is totally screwed.

Root your device. Do not purchase locked devices.

[emil]

If you have rooted your device, you can remount /system in read-write mode, and from there you can remove any file in /system/app (thus removing Google Hangouts if it was installed in this location).

Google, the OEMs, and the carriers have formally abdicated any security stewardship for Android (case in point - Towelroot).

If you wish to maintain a secure Android device, you must root it yourself. No one else can or will help you until you root.

Re:Root your device. Do not purchase locked device

[jenningsthecat]

Even root access won't save my HTC Desire 510. Whenever I mount the system as read-write and remove files, (such as Facebook and Twitter .apk and .odex files), or even change files, (such as that stupid MP3 the phone plays while the screen says 'Quietly Brilliant'), HTC oh-so-helpfully restores them for me at the next cold boot, whether or not there's any network access. I'd love to install Cyanogenmod, but there's no fully functional ROM available for my phone.

Re:Root your device. Do not purchase locked device

[macs4all]

If you wish to maintain a secure Android device, you must root it yourself. No one else can or will help you until you root.

So, IOW, for the 99.999999997% of Android Users that don't even know what "rooting" is, let alone how to do it, they are simply SOL until they purchase an iPhone.

Re:Root your device. Do not purchase locked device

[macs4all]

I'm sure the attention this will be receiving from the media will force the vendors to patch this. They wouldn't want a massive turnover to iPhone because they were too lazy to provide a simple patch,

How much would you like to lose on that bet?

Re:Android versions prior to Jelly Bean, version 4

[Karlt1]

The difference is that when Apple patches a security flaw, every semi-current iPhone user worldwide can install the patch and Apple usually patches the current version and one version back. For instance, the "goto fail" security patch that was released in March 2014 patched every phone back to iPhone 3GS in 2009 (patch for 6.x) and IOS 7.

Can we confirm?

[emil]

What is the impact if other media.stagefright* entries are disabled? I see a long list.

immutable

[emil]

You might try creating it as a directory first - you're trying to sabotage whatever script is running that restores these files, and the simplest sabotage is the best.

Here is the description of the immutable flag from the chattr man page:

A file with the 'i' attribute cannot be modified: it cannot be deleted or renamed, no link can be created to this file and no data can be written to the file. Only the superuser or a process possessing the CAP_LINUX_IMMUTABLE capability can set or clear this attribute.

Re:immutable

[righteousness]

None of your suggestions would work unless the phone is modded to S-Off mode to remove the write protection. What actually happens in S-On mode, which is the default, is that any change to the system files is actually made to a copy-on-write virtual filesystem. This virtual filesystem is reset on every boot so you'd get back to where you started. So there's no script that is run to restore the files as you assumed because the files are never touched in the first place.

Re:Root your device. Do not purchase locked device

[Vitriol+Angst]

they are simply SOL until they purchase an iPhone.

I seem to remember reading that in the Android support manual.

Re:Android versions prior to Jelly Bean, version 4

[amicusNYCL]

How's that iPhone sounding about now?

Literally exactly the same that it sounded before this was announced. I'm going through my list of all of the reasons why I don't have an iPhone, and this announcement doesn't seem to have changed even a single one of those reasons.