Android Stagefright Flaws Put 950 Million Devices at Risk

RV_ · July 27, 2015

Unlike Windows and Apple who patch their mobile devices directly, Android users by and large are at the mercy of their phone manufacturer for updates, sometimes a year, and with older devices, never. Straight Talk uses Samsung phones like my wife has that are unsupported as they are several versions back, as an example. If you can update it might be smart by whatever channel. They are initially calling this Android's "Heartbleed", referring to a serious vulnerability in Windows a couple of years back.

Whether hyperbole or a very real threat this one bears watching.

Excerpt:

"Vulnerabilities discovered in the Stagefright media playback engine that is native to Android devices could be the mobile world’s equivalent to Heartbleed. Almost all Android devices contain the security and implementation issues in question; unpatched devices are at risk to straightforward attacks against specific users that put their privacy, data and safety at risk.

Google has patched internal code branches, but devices require over-the-air updates and given the shaky history of handset manufacturers and carriers pushing out security fixes, it’s unknown how long it will take to update vulnerable devices, or whether some will ever get fixed. Silent Circle has patched its Blackphone against the vulnerabilities, as has Mozilla, which uses Stagefright code in Firefox.

The flaws have been in Android since—and including—version 2.2; devices running Android versions older than Jelly Bean (4.2) are at greater risk since they lack exploit mitigations that have been built into newer versions of the OS.

Researcher Joshua Drake, vice president of platform research and exploitation at Zimperium zLabs, said exploits could be particularly insidious given the fact that an attacker need only use a malicious MMS message that could trigger the vulnerability without user interaction, and delete the message before the victim is aware. All an attacker would need, Drake said, is the device’s phone number.

“It’s a nasty attack vector,” he said.

The problem is that Stagefright is an over-privileged application with system access on some devices, which enables privileges similar to apps with root access. Stagefright is used to process a number of common media formats, and it’s implemented in native C++ code, making it simpler to exploit.

“On some devices, [stagefright] has access to the system group, which is right next to root—very close to root—so it should be easy to get root from system,” Drake said. “And system runs a lot of stuff. You’d be able to monitor communication on the device and do nasty things."

Much more in the full article at: https://threatpost.com/android-stagefright-flaws-put-950-million-devices-at-risk/113960#sthash.rSLDHonV.dpuf

LindaH · July 27, 2015

My phone updated itself yesterday. I wonder if this security flaw was patched...any way to tell?

Chris-n-Dennis · July 29, 2015

Another protection as mentioned in a related article was to ensure you have an active anti-virus program running on your device. No mention as to which one.