Slashdot Mirror
950 Million Android Phones Can Be Hijacked By Malicious Text Messages
techtech writes: According to security firm Zimperium a flaw called "Stagefright" in Google's Android operating system can allow hackers take over a phone with a message even if the user doesn't open it. The vulnerability affects about 950 million Android devices. In a blog post Zimperium researchers wrote: "A fully weaponized successful attack could even delete the message before you see it. You will only see the notification. These vulnerabilities are extremely dangerous because they do not require that the victim take any action to be exploited. Unlike spear-phishing, where the victim needs to open a PDF file or a link sent by the attacker, this vulnerability can be triggered while you sleep. Before you wake up, the attacker will remove any signs of the device being compromised and you will continue your day as usual—with a trojaned phone."
Hey morons, you already posted this TODAY.
95% of them will never be patched........thanks for all the fragmentation.....
No Android.
No smartphone.
No cellphone.
My telephone's an old fashion really dumb land line. One thing you gotta love about being behind the times is not getting hacked.
http://it.slashdot.org/story/15/07/27/1416257/stagefright-flaw-compromise-android-with-just-a-text
A fully weaponized attack could take screenshots and camera pictures of you tossing off at Wikiarmpits.
(-1: Post disagrees with my already-settled worldview) is not a valid mod option.
CM and nearly all custom roms are immune and Lollipop is completely unaffected. Next time don't buy a carrier device.
$
EXCEPT 5.0 Lollipop, because Lollipop uses a different media framework. Which I'm sure has its own issues, but thankfully, even a year after release, its marketshare is tiny enough that it doesn't matter.
Even worse, it's a bug inside the OS itself, so it's not like Google can actually fix the problem like they have using Google Services Framework.
It can only be fixed by a rooted device or a software update to replace the broken library.
You can blame the carriers for much of that fragmentation.
Finger pointing.
The time-worn bullshit excuse that obviously never gets old.
If at first you don't succeed, fucking blame someone else.
And this is why I use a $9 phone that has support for nothing other than voice calls and plaintext SMS. Not only is it free from the effects of such exploits but the battery also lasts two weeks between charges, it fits very nicely in even the smallest pocket and doesn't distract me when I should be working or spending time with friends and family.
I only upgraded to this phone because I found the cranking handle on the side of my old phone was snagging on my pocket and the operator was sometimes very slow to respond with "number please" when I tried to summon her attention :-)
What's wrong with blaming the people responsible for the issue?
TFA (requires obnoxious CAPTCHA just to read, wtf) makes it clear the payload is inside a media file attached to an MMS. Myself I do not use MMS since it seems to require OTA data to download the MMS payload, which is exceedingly expensive on my current prepaid plan. Old phones are pretty likely to be used like this; voice only, data only over wifi, so it might lessen the impact. Anyways, I am on Lollipop.
When I buy a new phone, it generally involves a two year contract. Even without a contract, it's reasonable to expect that a new phone will be supported for a couple of years. For phones where the carrier controls the software, like Android, that seems to be an implicit part of the service that the carrier is contracted to provide. I don't agree with lawsuits for buggy code, provided that there isn't negligence involved. However, when the vendor and carrier are aware of a problem and fail to provide a solution in a timely manner, why aren't they held legally responsible? I recognize that this doesn't put lives at risk, but is the inaction of vendors and carriers fundamentally different than, say, the negligence of Fiat Chrysler that they just got fined for? When will there be class action suits against manufacturers and vendors who delay pushing out security updates for relatively new phones?
If it can be exploited remotely for root access then it can be patched remotely by a non-vendor. I guess we will see stagefright patch apps start appearing over the next few days.
Obviously, nobody can rely on the lame-ass vendors, even if they had their heart in it.
When all you have is a hammer, every problem starts to look like a thumb.
Hey morons, you already posted this TODAY.
Piece of shit Windows 10 comes out in a couple days. Some obscure-wtf-bullshit site zimperium(?!) posts on their own blog. So now it's the end of the world. All Androids are fucking rooted while you slept last night. Aw shit. Damn. This is supposedly because of vulnerable MMS video lag prevention features in "stagefright libraries".
FUD. 2x dupe on Slashdot raises the credibility eyebrow. c|net has had zero credibility with me for many years.
http://www.digitaltrends.com/mobile/android-stagefright-mms-hack-news/
"The good news is that hackers weren’t aware of the vulnerability, so it’s unlikely anyone is utilizing it at the moment. However, disclosures of the bugs will be released today, which means that exploiters will have enough information to start writing code."
In other words, if there even is a vulnerability capable of exploiting Android MMS with a text message, nobody has done it except allegedly whoever the hell zimperium "security researchers" are.
Now that it's in full blast FUD mode, Google and everybody else for sure sees it. As retarded as that would be to have mysterious hackers "send a txt message and pwn your phone" from the shadows of the underworld... I foresee zero chance of it happening. 0.00% chance but I see websites calling it "THE MOTHER OF ALL EXPLOITS". Nah homies. Fuck you.
I see here... http://forum.xda-developers.com/android/help/android-mms-stagefright-exploit-t3166457
One poster in the xda dev forum thread above says patches were sent by Google weeks ago. The poster links to a Forbes article. Another commenter shows how to disable the player by editing your build.prop
Nothing to see here folks. Not shit to do. Wait a day or two until stories say Welp, that was a big nothing.
Install Linux before Windows 10 comes out is my advice. distrowatch.com
tl;dr "oh shit Android needs a patch before somebody besides zimperium researchers (?!) figure out how to exploit the #1 mobile OS in the world!!11"
And this little bit of code supposedly does what? Does it auto-start a program on your phone already that connects to some IP address in Romania and begin to upload all your photos? Does it overclock your chips like STUXNET and your phone spins out of control in your pocket, melting your legs? We are supposed to be in suspense to find out what "they" do. LOL This shit is stupid. Double posting it? Ya, long memory here.
It's the phone makers' faults. Sorry, but that's just the way it is.
Apple has shown that it's possible for the device manufacturer to deploy new software directly. Yet in the Android world, it's still the carriers doing it. There's only a few phones where the manufacturer pushes new updates (and even those don't tend to be supported as long as iPhones do)
The Android world needs to wake the hell up and start supporting its users properly. It's ridiculous that this sort of situation can happen; if a similar exploit appeared for iOS, Apple would patch devices in 10 seconds flat.
If the data plan is turned off, you can't get any multimedia. It isn't an optimal solution, but turning data off will protect you, right?
God spoke to me
"It can only be fixed by a rooted device or a software update to replace the broken library."
"Rooting" (or allowing runtime access to root-level functions) is unnecessary for fixing any Android OS-level problem. However an unlocked bootloader will allow you to install an unofficial update or patch (unfortunately also allowing you to install a malware). A "rooted" device is actually even more of a security risk, especially if you have to trust a closed-sourced "superuser" binary.
Note that I distinguish between "rooted" Android systems that allow you to gain root level access on demand and those setups that allow for off-line root access via special recovery or debug modes that require a reboot and so is not available when running the system normally.
Is the patch available?
If editors don't read Slashdot itself maybe they should Google their own website. I mean a simple search like: "Android Malicious Text url:slashdot.org" returns both articles.
If editors google what they are about to post they can outsourse the job of reading the very site where they manage content.
CM and nearly all custom roms are immune and Lollipop is completely unaffected. Next time don't buy a carrier device.
Some of us don't have a choice, some of us still don't have a choice. Welcome to Canada.
Om, nomnomnom...
for iphone 4 as well? I don't think soooo.
anyhow... expect mobile networks to filter these messages in 1.2.3.4....
either that or 400 million phones in use in asia will receive an attack today if the attack really works as described in the blurb (proof of concept that installs something or gtfo).
(if you browse on a mobile from asia you might notice that shitloads of adverts that try to exploit or trick the user into installing sw. even slashdot carries occasionally ads targeted to asia tha will just straight up open another page that will try to fool the user into installing sw and doesn't let the user easily press back. thats without clicking the friggin advert. it's like ad networks do no curating whatsoever of asian targeted ads)
world was created 5 seconds before this post as it is.
That is completely wrong. The blog post by the folks who discovered the vulnerability even includes screencaps of Lollipop 5.1.1 being taken over via MMS. Not sure where you got the idea that Lollipop and CM are unaffected.
or never configure it in the first place to work.
that's your fix.
and slashdot editors: MMS IS NOT SMS SO FUCK YOU SLASHDOT EDITOR. it's not even remotely same technlogy.
mms is vulnurable? duh. how about sharing the image preview vuln(presumably) that's actually used since that has much more to it than just mms. but that mms implementation is exploitable is quite a bit less fatal/interesting than sms vuln.
besides than that I'm pretty fucking sure that 950 million android phones (total androids out there) don't have preview of mms in the notifications bar. only a subset has that feature. but the more interesting and potentially attackable route is through anything else that shows images.
world was created 5 seconds before this post as it is.
Coming from an android user, the gp is absolutely correct. Allowing carriers to decide whether updates are pushed out simply means that they never do so. It's the top item on the [fairly short] list of things that I wish would be copied from Apple.
It'll give you a warning before stagefright is used
https://github.com/WhisperSyst...
you can find SMSSecure on f-droid
Also check to make sure hangouts isn't using mms (just to be on the safe side)
EXCEPT 5.0 Lollipop, because Lollipop uses a different media framework. Which I'm sure has its own issues, but thankfully, even a year after release, its marketshare is tiny enough that it doesn't matter.
Even worse, it's a bug inside the OS itself, so it's not like Google can actually fix the problem like they have using Google Services Framework.
It can only be fixed by a rooted device or a software update to replace the broken library.
This is completely wrong: 5.0 and 5.1 all include stagefright library. Nuplayer has been around for awhile and is a counterpart to Stagefright. Android has been moving toward deprecating Stagefright and replacing it with Nuplayer. In 5.0 this started with the inclusion options to allow manufactures to use nuplayer or stagefright as the default. Since nuplayer is still considered experimental there are been compatibility issues so most manufacturers shipped their 5.0 and 5.1 builds with the default still set to stagefright. Most all lollipop phones are still using stagefright by default because that is what the manufacturers set in their builds.
On most phones with 5.x you can go into developer settings on the phone and turn the nuplayer under audio settings on which in theory should mitigate the vulnerability. Since this vulnerability really is 5 or more CVE's its a combination of more than a few bugs which means using nuplayer may not fully mitigate the vulnerability.
Concerning CyanogenMod, this was posted to their Facebook page a few hours ago:
Recent Stagefright issues
The following CVE's have been patched in CM12.0 and 12.1 nightlies for a couple weeks. If you haven't updated already, we strongly encourage you to do so.
CM11 will see these updates hit as part of out of band fixes this weekend (these releases occur weekly).
CVE-2015-1538
CVE-2015-1539
CVE-2015-3824
CVE-2015-3826
CVE-2015-3827
CVE-2015-3828
CVE-2015-3829
We are actively following all the DefCon events and announcements and will be keeping tabs on other disclosures that could impact CM and its derivatives.
ï
Seriously, do people really use MMS? Just disable MMS (if have enabled it) and you are safe as it seems.
What is the purpose of MMS? Paying 100x more to send the same contents which could be sent using an email?
I gave up with the idea of an useful sig...
The set of hardware capabilities available on a smartphone has more or less stabilized on phones these days. Which means that the kernel API to the hardware could be frozen. Which means that everything above the kernel level could be OTA-upgraded (to stock, at least -- carrier customizations should be installed as an app and/or theme on top of the stock firmware anyway). Why in 2015 is the entire platform not hot-upgradeable? The inability to do so is just plain stupidity. (Memory limits / CPU speed etc. don't count -- in Android K and L, a lot of work was done to reduce the memory footprint and increase the VM speed... you only need half a gig of RAM to run Android L.)
It's not a Text message (SMS). It's an MMS message. Different technology
"According to security firm Zimperium a flaw called "Stagefright" in Google's Android operating system"
Um, the flaw isn't called stagefright - the flaw is in a component called stagefright!
retrorocket.o not found, launch anyway?
What are you talking about? What does being in Canada have to do with it? I have rooted, unlocked, and installed CM on several devices including my Virgin Mobile Galaxy S1 and a Kudo Galaxy S2. And all the carriers here allow you to bring your own device if you wish. I brought my unlocked S2 to Telus.
When the critical Samsung keyboard exploit hit the news, I was able to do this (and you were not):
mount -o remount,rw /system /system/app . /system
cd
mv SamsungIME.apk SamsungIME.banished
scp cyanogen:/tmp/LatinIME.apk
cd
mount -o remount,ro
reboot
I have no intention of relinquishing my ability to repair this vendor-inflicted brain damage because of your foolish misconceptions.
As usual, I prefer to blame the victims (us).
On a desktop personal computer, it would never occur to you to think "Oh, I just assume I'll get software maintenance from my ISP," and if anyone ever actually said that then you would point your finger at them and laugh and their over-the-top stupidity.
But change the form factor of the personal computer to handheld and suddenly we don't do the pointing and laughing. On the very face of it, it's JUST AS STUPID. So WTF?
Users are not exercising their common sense. They simply aren't. You can make excuses for not using common sense and explain why we did this very obviously stupid thing, but don't pretend it's not happening. Every morning you're getting up and putting a "kick me" sign on your back. You know that you're doing it and you know what consequences will invariably flow from it.
"I don't have any other signs to put on my back! All the signs on the market say 'kick me!'"
"Just because I wear a 'kick me' sign that doesn't mean anyone really has license to kick me! They shouldn't be doing that to me!"
Ok, go on and say those things. You even have some valid points, and the things you're saying might even be technically correct. But that doesn't mean you don't sound stupid, because you don't have not getting kicked in your requirements! WTF, people?!
Stop thinking of handhelds as some weird special case where ALL your experiences with software maintenance magically don't apply! THAT'S STUPID! So yeah, I'm a victim-blamer. You know when you buy your PC from your ISP or from a manufacturer who has a history of preventing maintenance, what's going to happen. And when people pretend they don't know the invariable consequences of buying PCs from ISPs, the stupidity takes on a flavor of dishonesty. Mmmm, yum!
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
A voice of reason.
Similar setup here, my wife just switched to Fido after unlocking her HTC One. The plan is $15 cheaper if you bring your own device.
If at first you don't succeed, fucking blame someone else.
Stop it, you are embarrassing yourself.
You read the part where Google patched AOSP in 48 hours right? WTF do you want them to do? They don't have the ability push updates to phones issued by Verizon et al., let alone some oddball carrier in Thailand.