Slashdot Mirror

← Back to Stories (view on slashdot.org)

'Stagefright' Flaw: Compromise Android With Just a Text

Posted by Soulskill on from the much-more-convenient dept.

An anonymous reader writes: Up to 950 million Android phones may be vulnerable to a new exploit involving the Stagefright component of Android, which lets attackers compromise a device through a simple multimedia text — even before the recipient sees it. Researchers from Zimperium zLabs reported the related bugs to Google in April. Google quickly accepted a patch and distributed it to manufacturers, but the researchers say they don't think the manufacturers have yet passed it on to most consumers.

"The weaknesses reside in Stagefright, a media playback tool in Android. They are all "remote code execution" bugs, allowing malicious hackers to infiltrate devices and exfiltrate private data. All attackers would need to send out exploits would be mobile phone numbers, Drake noted. From there, they could send an exploit packaged in a Stagefright multimedia message (MMS), which would let them write code to the device and steal data from sections of the phone that can be reached with Stagefright's permissions. That would allow for recording of audio and video, and snooping on photos stored in SD cards. Bluetooth would also be hackable via Stagefright."

22 of 203 comments (clear)

  1. Android versions prior to Jelly Bean, version 4.1 by Anonymous Coward · · Score: 4, Informative

    "Android versions prior to Jelly Bean, version 4.1, representing roughly 100 million devices, have “inadequate exploit mitigations” that wouldn’t prevent Stagefright attacks over MMS."

    You're welcome.

  2. What benefit to announcing it? by pz · · Score: 3, Insightful

    This group sounds like they acted reasonably and responsibly, letting Google know there was a problem, and submitting good patches to correct the issue.

    If, now, there's some other fundamental impediment to distributing a correction to the bug that does not have to do with Google, but rather with the heaploads of cell phone manufacturers who use Google's code and who may or may not have the ability to distribute the fix, why should the vulnerability be made public? I don't see any apparent upside to the public good.

    --

    Put my fist through my alarm clock with its ding-dong death inside my ear. - The Blackjacks.
    1. Re:What benefit to announcing it? by Bugler412 · · Score: 4, Insightful

      Upside would be forcing carriers and OEMS to actually support their product in an ongoing fashion rather than quietly stopping updates shortly after releasing the device, as is the case with many lower end Android devices

    2. Re:What benefit to announcing it? by zarmanto · · Score: 4, Informative

      ... the heaploads of cell phone manufacturers who use Google's code and who may or may not have the ability to distribute the fix...

      Faulty premise: The issue isn't that they do not have the ability to distribute fixes; it's that they each have different levels of corporate red tape, preventing the expeditious distribution of these fixes. That's been an ongoing problem in the Android market for years, now. Thus, the benefit of this reveal is that, when an exploit hits the wild (and it would have with or without this announcement) these researchers (and Google) can all respond to outraged customers by saying, "Don't blame me! I did my part!" and point their fingers out to the carriers.

    3. Re:What benefit to announcing it? by brunes69 · · Score: 3, Interesting

      I disagree. It will put pressure on all the cell phone manufacturers and carriers to stop dragging their feet and release updates in a timely fashion.

      This way Google and the group can say "we warned you" if a bunch of Verizon Samsung customers get exploited because Verizon would not allow the release to be published. No carrier wants that kind of news item.

    4. Re:What benefit to announcing it? by macs4all · · Score: 4, Insightful

      Even Apple is not immune to this. Their very expensive disposable shit is not supported forever, and god forbid should an exploit be found then.

      NOTHING is supported "Forever". It is simply impractical to do so.

      However, if you think the "Support" (or rather, complete lack thereof) that is given to nearly EVERY Android Device has even the SLIGHTEST resemblance to the Support given to iOS devices even several years old (my iPad 2 and iPhone 4s STILL receive OS Updates), you are simply delusional.

    5. Re:What benefit to announcing it? by macs4all · · Score: 4, Insightful

      But the devices won't last forever, so that's not what is being asked of vendors. Support as long as the hardware can reasonably be expected to last in significant numbers is a much shorter period of time and probably not so much of an ask.

      If they don't want to commit for that long, perhaps they should advertise their product as disposable.

      Your point being?

      Apple has hands-down the best track record of supporting less-than-current-generation mobile hardware. Even Google is dropping support for most of the past generations of NEXUS hardware; something they basically stated they wouldn't do.

      And as for all the rest of the Android OEMs: Well, they should simply be ashamed of themselves, period.

  3. Re:How to Disable Stagefright? by Anonymous Coward · · Score: 5, Funny

    Please follow this guide to disable it:
    1. Stand up
    2. Take phone in hand
    3. Take a few steps to the trash bin
    4. Throw phone in trash bin

  4. Re:How to Disable Stagefright? by Anonymous Coward · · Score: 5, Informative

    in build.prop, media.stagefright.enable-player=false

  5. /system/lib/libstagefright* by emil · · Score: 5, Informative

    The problem appears to lie in one of the files /system/lib/libstagefright*

    NPR is saying that Google Hangouts makes the problem worse:

    The messaging app Hangouts instantly processes videos, to keep them ready in the phone's gallery... this setup invites the malware right in. If you're using the phone's default messaging app, he explains, it's "a tiny bit less dangerous." You would have to view the text message before it processes the attachment. But, to be clear, "it does not require in either case for the targeted user to have to play back the media at all," Drake says.

    It would appear prudent to uninstall Google Hangouts. If you can disable MMS with your carrier, do so, otherwise do not look at text messages from originators that you do not know - delete the conversations.

    Carriers are unlikely to patch (look at SamsungIME.apk if you think OEMs or carriers will lift a finger to help us).

    Root your phone, and await a new set of /system/lib/libstagefright* files - Cyanogenmod will likely provide KitKat copies if they ever shirk their laziness long enough to deliver the final promised KitKat milestone.

    1. Re:/system/lib/libstagefright* by GNious · · Score: 3, Informative

      If you can disable MMS with your carrier, do so, otherwise do not look at text messages from originators that you do not know - delete the conversations.

      While seems like generally prudent step, in this case...

      lets attackers compromise a device through a simple multimedia text — even before the recipient sees it.

    2. Re:/system/lib/libstagefright* by drinkypoo · · Score: 3, Interesting

      I'm actually kind of hoping this is a viable option. I dread the idea of re-installing my phone from scratch, but a drop-in replacement for the affected files would certainly be welcome.

      Probably not. libstagefright is, nominally, per-GPU. Every GPU vendor would have to roll their own. And then it would have to be tested... It's just not going to happen at all. Everyone is going to say "time to move on" and blame the vendors. The vendors will blame the GPU makers...

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
  6. value on black market by edxwelch · · Score: 4, Insightful

    So, remote execution vunerbility on nearly 1 billion devices...
    I wonder how much they would have made if they had sold it on the black market, instead of telling Google about it?

  7. How to fix it. by Anonymous Coward · · Score: 5, Funny

    Please give me your phone numbers so I can text you the fix for this issue.

    1. Re:How to fix it. by JBallz · · Score: 5, Funny

      867-5309

  8. Google dropped the ball being too permissive by Anonymous Coward · · Score: 4, Interesting

    If Windows or Linux or Unix or any other manufacturer of an operating system had put the ability and responsibility for patching the OS in the hands of the device manufacturers or the ISPs or anybody else, they would all have the same problem that Android is suffering.

    Android gets tarnished, not because Google is lax in the updates, but because Google allowed the carriers/device manufacturers to take ownership for patching devices. At least MSFT was smart enough not to leave that up to Dell, Acer, Compaq, HP, etc.

    Google should draw a line in the sand and say going forward they will issue the patches and the carriers have to enable that on new devices or they can't play with Android toys.

  9. Re:How to Disable Stagefright? by Ukab+the+Great · · Score: 5, Funny

    Imagining everyone who texts you in their underwear.

  10. Re:Android versions prior to Jelly Bean, version 4 by Anonymous Coward · · Score: 5, Informative

    It's a mix of two factors:
    1) Fixes are available for 4.1 and up, *but*
    2) Virtually no phones have *received* the patch, because it has to flow through the manufacturer, and they simply don't *care* about updating any phone which isn't currently their flagship model.

  11. Root your device. Do not purchase locked devices. by emil · · Score: 3, Informative

    If you have rooted your device, you can remount /system in read-write mode, and from there you can remove any file in /system/app (thus removing Google Hangouts if it was installed in this location).

    Google, the OEMs, and the carriers have formally abdicated any security stewardship for Android (case in point - Towelroot).

    If you wish to maintain a secure Android device, you must root it yourself. No one else can or will help you until you root.

  12. Re:How to Disable Stagefright? by macs4all · · Score: 3, Informative

    Please follow this guide to disable it:

    1. Stand up
    2. Take phone in hand
    3. Take a few steps to the trash bin
    4. Throw phone in trash bin

    That was modded "Funny"; but it's actually True for the vast majority of Android Users.

  13. Re:Root your device. Do not purchase locked device by macs4all · · Score: 3

    I'm sure the attention this will be receiving from the media will force the vendors to patch this. They wouldn't want a massive turnover to iPhone because they were too lazy to provide a simple patch,

    How much would you like to lose on that bet?

  14. Re:Android versions prior to Jelly Bean, version 4 by Karlt1 · · Score: 4, Insightful

    The difference is that when Apple patches a security flaw, every semi-current iPhone user worldwide can install the patch and Apple usually patches the current version and one version back. For instance, the "goto fail" security patch that was released in March 2014 patched every phone back to iPhone 3GS in 2009 (patch for 6.x) and IOS 7.