A new Android vulnerability worries the security world and makes your Android phone extremely vulnerable. The problem comes in the form of six bugs in a harmless Android module called StageFright that is used to play media.
StageFright bugs allow a malicious MMS sent by a hacker to execute malicious code inside the StageFright module. From there, the code has a number of options for taking control of the device. At the moment, about 950 million devices are affected by this vulnerability.
Simply put, this is the worst Android vulnerability in history.
Android users are already frustrated by the breach, and for good reason. A quick scan of Twitter reveals that many angry users show up when the news hits the web.
Part of what makes this attack so scary is that few people can do to protect themselves from it. They probably wouldn’t even know the attack had happened.
Typically, an attack on an Android device requires the user to install a malicious application. This attack is different: the attacker just needs to know your phone number and send a malicious multimedia message .
Depending on which messaging app you’re using, you may not even know the message has arrived. For example: If your MMS messages go through Hangouts in Android by Andoid a malicious message can take control and hide before the system even alerts the user to its arrival. In other cases, the exploit may not work until the message is actually viewed, but most users simply write it off as harmless spam text. or invalid number.
Once inside the system, code running on StageFright automatically has access to the camera and microphone, as well as Bluetooth peripherals and any data stored on the SD card. This is bad enough, but (unfortunately) it’s only the beginning.
While Android Lollipop implements a number of security improvements, most Android devices still run older OS versions , and are vulnerable to a so-called «privilege escalation attack». Typically Android apps are «sandboxed» ”, giving them access only to those aspects of the OS for which it has been given explicit permission. Privilege escalation attacks allow malicious code to «trick» the Android operating system into giving it more and more access to the device.
Once a malicious MMS message gained control of StageFright, it could use these attacks to take full control of older, insecure Android devices. This is a nightmare scenario for device security. The only devices that are completely immune to this issue are those running operating systems older than Android 2.2 (Froyo), which is the version that StageFright first introduced.
The StageFright vulnerability was first discovered in April by the Zimperium zLabs security research team. The researchers reported this issue to Google. Google quickly released a patch to manufacturers — however, very few device manufacturers actually installed the patch on their devices. The researcher who discovered the bug, Joshua Drake, estimates that about 950 million of the roughly one billion Android devices in circulation are vulnerable to some form of attack.
According to Drake, Google’s own devices such as the Nexus 6 have been partially patched, although some vulnerabilities remain. In a FORBES email on the subject, Google assured users that
“Most Android devices, including all new devices, have several technologies designed to make them harder to use. Android devices also include an app sandbox designed to protect user data and other apps on the device.”
However, it’s not that much comfort. Before Android the Android sandbox has been relatively weak, and there are several known exploits that can be used to bypass it. It is imperative that manufacturers release a suitable patch for this problem.
What can you do?
Unfortunately, hardware manufacturers can be very slow to implement such critical security patches. Of course, it’s worth contacting your device manufacturer’s customer support department and asking for an estimate of when fixes are available. Public pressure is likely to help speed up the process.
On Drake’s side, he plans to fully reveal his findings at the DEFCON international security conference in early August. Hopefully the additional publicity will encourage device manufacturers to release updates quickly, now that the attack is public knowledge.
More broadly, this is a good example of why Android fragmentation is such a security nightmare.
In a closed ecosystem like iOS, a patch for this can be released in a matter of hours. On Android, it can take months or years to speed up each device due to the huge level of fragmentation. I’m interested to see what decisions Google makes in the coming years to start releasing these important security updates out of the hands of device manufacturers.