Slashdot Mirror

← Back to Stories (view on slashdot.org)

Millions of Android Devices Vulnerable To New Stagefright Exploit

Posted by msmash on from the is-anyone-safe-anymore dept.

An anonymous reader writes: Security researchers have found yet another flaw in Android's Stagefright. The researchers were able to remotely hack an Android phone by exploiting the bugs. According to their estimation, the flaw exposes devices running Android software version between 5.0-5.1, or 36% of 1.4 billion, to security attacks. "I would be surprised if multiple professional hacking groups do not have working Stagefright exploits by now. Many devices out there are still vulnerable, so Zimperium has not published the second exploit in order to protect the ecosystem," Zuk Avraham, chairman of Zimperium, the firm which found the first Stagefright exploit told Wired.

48 comments

  1. Good by johanw · · Score: 4, Funny

    A new nearly-universal root method is always handy.

    1. Re:Good by AmiMoJo · · Score: 4, Informative

      That's not what this is. TFP is careful to point out that all it gets you is executing arbitrary code in the process that is affected, in this case the browser. So you would need further exploits to get anywhere from there.

      Even that is difficult as it requires knowing certain things about the target device, like the exact ROM it is running. It also looks like Google should be able to mitigate is pretty quickly by updating Chrome and various system components via Play.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    2. Re:Good by GuB-42 · · Score: 3, Informative

      Not when there is already an "official" method that requires a physical manipulation.

      A typical Android root method that is tolerated by manufacturers requires you to reboot, press a specific button combination, connect your device to a computer via USB and run a program on the computer. This way, you can be reasonably sure that the user is the one why initiated the root procedure and not some malware. Root has serious security implications, so anything that guarantees that it really is the user's choice is a good thing.

      Android is not iOS, there is plenty of choice for devices that can be rooted without shady exploits. We shouldn't rejoice when such vulnerabilities appear.

    3. Re: Good by the_humeister · · Score: 1

      Just for clarification, there are official methods to bootloader unlock some phones (eg Google Nexus, HTC, Motorola, Sony, etc.), but not root. These methods vary by carrier. Generally carrier branded phones may be bootloader unlockable (AT&T HTC One M8/M9/A9) or not (Verizon HTC On M8/M9). Have to do research to figure this one out.

      Now with regard to root, root and bootloader unlock often go hand in hand, but they're not the same thing. You can have root on your system without having bootloader unlock on the device (via root exploit, eg any carrier branded Samsung Galaxy S5/6/7). You can have bootloader unlock without having root on your system (ie don't flash SuperSU or don't flash a ROM containing root privileges).

    4. Re: Good by Foresto · · Score: 1

      To expand on that, there are cases when a root exploit is preferable to a bootloader unlock. For example, when the official bootloader unlock procedure deletes all your applications and data, and permanently disables some of the features in your phone. (I'm looking at you, Sony.)

  2. "Android 2.2, 4.0, 5.0 and 5.1" by Anonymous Coward · · Score: 0

    The researchers from NorthBit say they have been able to create an exploit that can be used against Stagefright on Android 2.2, 4.0, 5.0 and 5.1. Other versions are not affected.

    Other versions are not affected by the issue, or not affected by the NorthBit-created exploit?

    Also, is MMS still a thing at carriers? The last few times I supposedly received one they already sent me a text message to go view the message online instead.

    1. Re:"Android 2.2, 4.0, 5.0 and 5.1" by NatasRevol · · Score: 1

      because webpages can have built in ads & trackers.

      --
      There are two types of people in the world: Those who crave closure
    2. Re:"Android 2.2, 4.0, 5.0 and 5.1" by BronsCon · · Score: 1

      Sprint or Verizon?

      --
      APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
  3. Re:FBI will like this. by Anonymous Coward · · Score: 1

    Try getting root on Note 4 running android 5.1.1. Can't be done as far as I can tell. :((

  4. Re:And? by GTRacer · · Score: 4, Interesting

    Aside from crappy security implementations which I blame mostly on Google, I don't get this attitude of yours.

    Anyone who in 2016 doesn't understand how the exchange of a "free' phone OS for personal data works needs to grab a refresher from the many excellent sources of economic theory available.

    Meanwhile, I *know* I'm the product, but in exchange I get great web searches, kick-ass navigation, YouTube, handy email and calendar integration with work, and more.

    --
    Defending IP by destroying access to it? That makes sense, RIAA/MPAA. Go to the corner until you can play nice!
  5. Missing information from summary by Aighearach · · Score: 2

    You need to put some basic technical information about what is affected in the summary. If you don't give that, it is just click-baity.

    Specifically, this affects Android versions "2.2, 4.0, 5.0 and 5.1. Other versions are not affected."

    If you use nerds for editors, that can help make sure that you include the right information in the summary so that users can evaluate if they want to click on the link, or not. We don't just click all the links because they were posted.

    1. Re:Missing information from summary by Anonymous Coward · · Score: 3, Informative

      Well, given that is about 1/3 of all androids in the wild, everyone should be checking.

      https://developer.android.com/...

      Also, other places say all versions of Android 2.2 & above are affected, which is ~95%

      http://www.wired.co.uk/news/ar...

  6. Re:FBI will like this. by LichtSpektren · · Score: 3, Informative

    Ever notice how the feds never go after Google or the Android phone makers to unlock things? They don't need to, they've been able to go balls-deep in Android since Day One. Too bad only Apple seems to give a poop about security.

    It would take me too long to write a full rebuttal for your post, but to summarize: 1) The feds DO go after Google and OEMs to unlock phones. 2) Cheapo Android phones are insecure. But Nexus phones get prompt security updates straight from Google. Samsung is also nowadays rigorous about securing their flagship phones, since they're approved by the DoD for government employee usage (cf. "Samsung Knox").

  7. 2016 The year Linux was like by future+assassin · · Score: 1

    windows. Sorry Android...

    --
    by TheSpoom (715771) Uncaring Linux user here. I have nothing to add to this but please continue. *munches popcorn*
    1. Re:2016 The year Linux was like by Anonymous Coward · · Score: 0

      Linux

      But this is not a kernel exploit.

  8. Re:And? by Anonymous Coward · · Score: 1

    Personal data is a shitty payment option. I have cash. But, not the amount of cash needed to satisfy Google.

  9. Disabling Auto Download of Multimedia Messages.. by DigitalSorceress · · Score: 1

    Back when my phone was still reporting it was vulnerable, I took the step of disabling auto downloading of multimedia messages as it was the only way to be sure (Nuke it from Orbit)

    I only turned that back on after my phone passed all the known tests... At this point, It's not worth the risk - this whole StageFright thing seems to be just fundamentally bad, so I'm leaving the Auto Download off.

    I never once got a multimedia message from someone who wasn't already known to me, but I figure that the slight inconvenience of deciding to download or not is worth the security benefit.

    --

    The Digital Sorceress
  10. Bad by shawn2772 · · Score: 2

    A new nearly-universal root method is always handy.

    To attackers wanting to steal your data, sure.

    For users, this is a bad thing. If you want to root your device, buy one that is unlockable and you won't need exploits. Meanwhile, OEMs need to keep their devices patched so that problems like this don't reduce the security of hundreds of millions of devices.

    That said, it's worth pointing out that Stagefright appears to have turned out to be much ado about nothing. AFAIK (and I work on the Android security team, so there's a high probability that I would know), no one, anywhere, has seen an example of Stagefright, v1 or v2, being exploited in the wild. That's not to say that these things don't need to be fixed, but the risk is often overstated in the press by reporters looking for clickbaity headlines.

    1. Re:Bad by brunes69 · · Score: 1

      I am a "user" and the only reason I entered this thread was to see if I could use this to FINALLY root my Galaxy S6 which has a signed bootloader and no root method.

      So, you're wrong. Users also want root methods for Android because carriers and manufacturers keep locking the damn bootloader

    2. Re:Bad by Alter_3d · · Score: 1

      I believe that this has been repeated incessantly, but if you want complete freedom over your phone, get a Nexus.Samsung phones are great for average users, but thats it.

    3. Re:Bad by shawn2772 · · Score: 1

      So, you're wrong. Users also want root methods for Android because carriers and manufacturers keep locking the damn bootloader

      If you want to root, why did you buy a locked phone? In the short term that's the only way you'll be able to do it reliably. In the long term that's the only way you'll be able to do it at all. As we keep tightening the security model exploits are going to get both rarer and less effective (SELinux is making it damned hard today to convert system exploits to root exploits).

      Perhaps more importantly, by choosing to buy an unlockable phone you're sending a message to OEMs, telling them that unlockability is important to you. The only message they'll really listen to, actually.

    4. Re:Bad by piojo · · Score: 1

      It's really hard to get a phone that has complete freedom and isn't junk. The best compromise I've seen was the HTC m7. I heard the newer Nexus phones might not be as bad as the one I had, but it's going to be a few years before I'm willing to give Google another chance.

      --
      A cat can't teach a dog to bark.
    5. Re: Bad by brunes69 · · Score: 1

      We don't all have Carle blanche options on what phones we can buy.

    6. Re: Bad by shawn2772 · · Score: 1

      We don't all have Carte blanche options on what phones we can buy.

      Then your days of rooting are coming to an end. They may already have come to an end; it's possible that your Galaxy S6 will never have a workable rooting method.

  11. No problem by Locke2005 · · Score: 1

    I downloaded Stagefright Detector on my Galaxy S7, and it says "Your device is not vulnerable to Stagefright. Everything is OK." Now if I could only get that kind of feedback in other areas of my life!

    --
    I've abandoned my search for truth; now I'm just looking for some useful delusions.
  12. or 36% of 1.4 billion by Anonymous Coward · · Score: 0

    "or 36% of 1.4 billion"

    That seems optimistic...

  13. Uhhh ok by Anonymous Coward · · Score: 0

    So upgrade to Android 6.0

    1. Re:Uhhh ok by Anonymous Coward · · Score: 0

      You can't unless your carrier has approved it for their network.

    2. Re:Uhhh ok by Anonymous Coward · · Score: 0

      Most people can't because they were idiots and bought a phone locked up by the carrier instead of getting a Nexus phone, which everyone knows gets updated right away directly from Google. FTFY

    3. Re:Uhhh ok by Anonymous Coward · · Score: 0

      Google does not sell Nexus for all service providers. Some service providers suck donkey balls in certain areas. Some people have different preferences or needs than condescending idiots on the internet.

    4. Re:Uhhh ok by timritzer · · Score: 1

      Hahah hahahah hahaha Your funny. You're aware most devices support 6.0, and it absolutely is not in the hands of the carrier's right? Sure, you might not get the easy OTA without your carrier, but you can easily upgrade.

    5. Re:Uhhh ok by Anonymous Coward · · Score: 0

      Keep telling that to yourself. I'm sticking to my story, bunch of idiots bought the wrong phone. If you're going to buy an Android-based phone get a Nexus, otherwise forget Android and go with an iPhone.

      The Nexus 6P supports both CDMA and GSM. I find it difficult to believe it isn't supported on most providers. Personally, I'm with a VMNO who offers unlimited data. Loving my 6P! Suckers are those who bought anything else (although I've read Samsung has been stepping up their efforts lately)

    6. Re:Uhhh ok by KGIII · · Score: 1

      You wanna know how messed the world is? Let's just say that I'm a pretty content Linux user. My phone is a Windows phone and has been since October of last year. Yup... I use a Windows 8 phone and am pretty happy with it. Actually, I'm more than happy with it. Note: I keep two phones. One is a dumb-phone. I do nothing "secure" or even really private on either phone.

      Back in late September, I hit the road. I'm still sort of on it. Some young lady bumped into me and she stuck, she's been there since. At any rate, in October I got a bit sick of it and started asking some questions here on Slashdot. I mentioned a Windows phone and a few people piped up and expressed that they were happy with their models or that their spouses were happy with their models. Updates come from Microsoft, they're speedy, the phone works fantastically, and there are all the apps I could possibly want - but there aren't a bunch of duplicate me-too apps in the store. That's something that's very different from Android and iPhone.

      So, the hotel I was at allowed me to get stuff shipped to me. I was up in Buffalo at the time. I made a phone call and a couple of days later, I had a package in the mail. I turned it on, I went through the setup, and it started working - the old one stopped working shortly afterwards. (I was curious and checked the old one. I am not a phone geek, I don't pay much attention to how it works.) That was it. I've been using that phone since then.

      So, that's the entirety of the experience that I have but, so far, it has been pretty good. I've been quite content with it. I've not yet thought of something that I wanted to do with it that I was unable to do with it. It's open enough so that I can easily program for it - if I wanted to, which I do not. I've had no crashes, indications of malware, known security issues, hindrances, hassles, or problems of any type. It is speedy, has plenty of resources, responsive, and intuitive in operation - but not even really like an iDevice or an Android.

      Yes, I am as shocked as you are. I'm kind of surprised that it is not more popular. Not one goal has remained unmet with the phone. Yeah... I'm impressed with that.

      --
      "So long and thanks for all the fish."
  14. Re:FBI will like this. by Anonymous Coward · · Score: 0

    IIRC, that's not a problem with "Note 4" generally, but with carrier-crippled N910AZKEATT (The AT&T version).

    On the T-Mobile one, for instance, you can use the unlocked bootloader to apply a script that enables root (update kernel and install /system/sbin/su).

  15. Re:Disabling Auto Download of Multimedia Messages. by robmv · · Score: 1

    I am on a Nexus device, a properly patched Android, but still I removed the MMS configuration from the cellular network AP configurations. I don't use or receive MMS, so there is no need for it. It is another good option.

  16. Re:And? by thegarbz · · Score: 3, Insightful

    Anyone who in 2016 doesn't understand how the exchange of a "free' phone OS for personal data works needs to grab a refresher from the many excellent sources of economic theory available.

    There's nothing free about Android that is shipped on phones. Vendors deal with Google and in return ship *additional apps* in their OS. The customers then in turn pay very good money for the use of the phone.

    All of that is not really an issue anyway since absolutely nothing in Android leaks privacy. You can run it without phoning home, without a Google account, and you can run it even when you have zero access to Google or any Google services (see the millions of Android devices in China).

    Mind you I'm interested in your economic theory on open source software, which is what Android actually is.

    kick-ass navigation, YouTube, handy email and calendar integration with work, and more.

    None of which are part of Android and none of which have anything to do with Android's security implementation.

  17. Re:And? by thegarbz · · Score: 1

    Google? Oh man if you realised how many different companies you need to send your cash to in order to use modern technology you would quickly hide your cash and say "take all my personal data".

    I actually think personal data is an awesome payment method. Especially when it's inaccurate and uncontrolled.

  18. Re:FBI will like this. by Anonymous Coward · · Score: 0

    Yes, the ATT version. As far as I can tell root is impossible.

  19. Apple vs Google by OrangeTide · · Score: 1

    Note the FBI and President aren't publicly pushing for Google's help to unlock Android devices.
    Things like this explain why it's not necessary for the government to get help.

    --
    “Common sense is not so common.” — Voltaire
  20. Firefox by emil · · Score: 1

    Didn't Firefox eliminate all usage of stagefright in their browser? That might be safer still, especially considering that Google made this mess. Firefox brings along their own h.264 and webm codecs that can actually be updated - how shockingly innovative!

    It might be further prudent to purge any browser based on webkit/blink from Android. The "celebrated" fast browsers (maxthon, cmbrowser) have terrible scores at ssllabs.com anyway.

    This is Google's problem with Android:

    Everyone knows that debugging is twice as hard as writing a program in the first place. So if you're as clever as you can be when you write it, how will you ever debug it? — Brian Kernighan, The Elements of Programming Style, 2nd edition, chapter 2

  21. It's not a new flaw. by Anonymous Coward · · Score: 0

    The news here is that a more reliable exploit has been created. The vulnerabilities have been publicly known since last fall.

  22. What does this mean??? by chasm22 · · Score: 1

    "This research shows exploitation of this vulnerability is feasible. Even though a universal exploit
    with no prior knowledge was not achieved, because it is necessary to build lookup tables per
    ROM, it has been proven practical to exploit in the wild."

    Especially the part that says "a universal exploit
    with no prior knowledge was not achieved".

      In other words to own it you must own it? Just kidding, excellent work .

  23. I'm safe by JustAnotherOldGuy · · Score: 3, Informative

    From the PDF: "The victim also has to linger for a time in the attack webpage"

    Since I don't use my phone for browsing*, I guess I'm safe for the moment.

    -

    *Yeah, I just use it to make calls and take calls, and maybe snap the occasional picture. Weird, huh?

    --
    Just cruising through this digital world at 33 1/3 rpm...
  24. Re:FBI will like this. by Anonymous Coward · · Score: 0

    Android is Swiss cheese. The 'hardened' versions are still easy to get into for any government agency. The Feds don't approve products for their own use that they do not have backdoors into, whether it be via NSA/FBI or court order.

    Android is a hacker's dream.