Slashdot Mirror

← Back to Stories (view on slashdot.org)

'Stagefright' Flaw: Compromise Android With Just a Text

Posted by Soulskill on from the much-more-convenient dept.

An anonymous reader writes: Up to 950 million Android phones may be vulnerable to a new exploit involving the Stagefright component of Android, which lets attackers compromise a device through a simple multimedia text — even before the recipient sees it. Researchers from Zimperium zLabs reported the related bugs to Google in April. Google quickly accepted a patch and distributed it to manufacturers, but the researchers say they don't think the manufacturers have yet passed it on to most consumers.

"The weaknesses reside in Stagefright, a media playback tool in Android. They are all "remote code execution" bugs, allowing malicious hackers to infiltrate devices and exfiltrate private data. All attackers would need to send out exploits would be mobile phone numbers, Drake noted. From there, they could send an exploit packaged in a Stagefright multimedia message (MMS), which would let them write code to the device and steal data from sections of the phone that can be reached with Stagefright's permissions. That would allow for recording of audio and video, and snooping on photos stored in SD cards. Bluetooth would also be hackable via Stagefright."

7 of 203 comments (clear)

  1. Re:How to Disable Stagefright? by Anonymous Coward · · Score: 5, Funny

    Please follow this guide to disable it:
    1. Stand up
    2. Take phone in hand
    3. Take a few steps to the trash bin
    4. Throw phone in trash bin

  2. Re:How to Disable Stagefright? by Anonymous Coward · · Score: 5, Informative

    in build.prop, media.stagefright.enable-player=false

  3. /system/lib/libstagefright* by emil · · Score: 5, Informative

    The problem appears to lie in one of the files /system/lib/libstagefright*

    NPR is saying that Google Hangouts makes the problem worse:

    The messaging app Hangouts instantly processes videos, to keep them ready in the phone's gallery... this setup invites the malware right in. If you're using the phone's default messaging app, he explains, it's "a tiny bit less dangerous." You would have to view the text message before it processes the attachment. But, to be clear, "it does not require in either case for the targeted user to have to play back the media at all," Drake says.

    It would appear prudent to uninstall Google Hangouts. If you can disable MMS with your carrier, do so, otherwise do not look at text messages from originators that you do not know - delete the conversations.

    Carriers are unlikely to patch (look at SamsungIME.apk if you think OEMs or carriers will lift a finger to help us).

    Root your phone, and await a new set of /system/lib/libstagefright* files - Cyanogenmod will likely provide KitKat copies if they ever shirk their laziness long enough to deliver the final promised KitKat milestone.

  4. How to fix it. by Anonymous Coward · · Score: 5, Funny

    Please give me your phone numbers so I can text you the fix for this issue.

    1. Re:How to fix it. by JBallz · · Score: 5, Funny

      867-5309

  5. Re:How to Disable Stagefright? by Ukab+the+Great · · Score: 5, Funny

    Imagining everyone who texts you in their underwear.

  6. Re:Android versions prior to Jelly Bean, version 4 by Anonymous Coward · · Score: 5, Informative

    It's a mix of two factors:
    1) Fixes are available for 4.1 and up, *but*
    2) Virtually no phones have *received* the patch, because it has to flow through the manufacturer, and they simply don't *care* about updating any phone which isn't currently their flagship model.