'Stagefright' Flaw: Compromise Android With Just a Text

An anonymous reader writes: Up to 950 million Android phones may be vulnerable to a new exploit involving the Stagefright component of Android, which lets attackers compromise a device through a simple multimedia text — even before the recipient sees it. Researchers from Zimperium zLabs reported the related bugs to Google in April. Google quickly accepted a patch and distributed it to manufacturers, but the researchers say they don't think the manufacturers have yet passed it on to most consumers.

"The weaknesses reside in Stagefright, a media playback tool in Android. They are all "remote code execution" bugs, allowing malicious hackers to infiltrate devices and exfiltrate private data. All attackers would need to send out exploits would be mobile phone numbers, Drake noted. From there, they could send an exploit packaged in a Stagefright multimedia message (MMS), which would let them write code to the device and steal data from sections of the phone that can be reached with Stagefright's permissions. That would allow for recording of audio and video, and snooping on photos stored in SD cards. Bluetooth would also be hackable via Stagefright."

How to Disable Stagefright?

[Anonymous Coward]

How can Stagefright be uninstalled / disabled?

Re:

[grilled-cheese]

How can Stagefright be uninstalled / disabled?

Buy a new phone with a version that includes the patches to begin with.

/system/lib/libstagefright*

[emil]

The problem appears to lie in one of the files /system/lib/libstagefright*

NPR is saying [npr.org] that Google Hangouts makes the problem worse:

The messaging app Hangouts instantly processes videos, to keep them ready in the phone's gallery... this setup invites the malware right in. If you're using the phone's default messaging app, he explains, it's "a tiny bit less dangerous." You would have to view the text message before it processes the attachment. But, to be clear, "it does not require in either case for the targeted user to have to play back the media at all," Drake says.

It would appear prudent to uninstall Google Hangouts. If you can disable MMS with your carrier, do so, otherwise do not look at text messages from originators that you do not know - delete the conversations.

Carriers are unlikely to patch (look at SamsungIME.apk if you think OEMs or carriers will lift a finger to help us).

Root your phone, and await a new set of /system/lib/libstagefright* files - Cyanogenmod will likely provide KitKat copies if they ever shirk their laziness long enough to deliver the final promised KitKat milestone.

Re:/system/lib/libstagefright*

[GNious]

If you can disable MMS with your carrier, do so, otherwise do not look at text messages from originators that you do not know - delete the conversations.

While seems like generally prudent step, in this case...

lets attackers compromise a device through a simple multimedia text — even before the recipient sees it.

Re:

[Overzeetop]

"Root your phone, and await a new set of /system/lib/libstagefright* files"

I'm actually kind of hoping this is a viable option. I dread the idea of re-installing my phone from scratch, but a drop-in replacement for the affected files would certainly be welcome.

Re:/system/lib/libstagefright*

[drinkypoo]

I'm actually kind of hoping this is a viable option. I dread the idea of re-installing my phone from scratch, but a drop-in replacement for the affected files would certainly be welcome.

Probably not. libstagefright is, nominally, per-GPU. Every GPU vendor would have to roll their own. And then it would have to be tested... It's just not going to happen at all. Everyone is going to say "time to move on" and blame the vendors. The vendors will blame the GPU makers...

Hangouts can not be removed

[erice]

It would appear prudent to uninstall Google Hangouts.

Prudent but not always possible. On some versions of Android, Google Hangouts is a system app part of the os image. It can not be uninstalled. Only updates can be uninstalled, which is not helpful in this case.

This is not the case of my old phone. It runs Gingerbread and Hangouts did not exist when Gingerbread came out. It also not true of my new phone. I'm running a third party "debloated" version of Lollipop that omits Hangouts and other not-necessarily desired apps from the image.

Root your device. Do not purchase locked devices.

[emil]

If you have rooted your device, you can remount /system in read-write mode, and from there you can remove any file in /system/app (thus removing Google Hangouts if it was installed in this location).

Google, the OEMs, and the carriers have formally abdicated any security stewardship for Android (case in point - Towelroot).

If you wish to maintain a secure Android device, you must root it yourself. No one else can or will help you until you root.

Re:

[jenningsthecat]

Even root access won't save my HTC Desire 510. Whenever I mount the system as read-write and remove files, (such as Facebook and Twitter .apk and .odex files), or even change files, (such as that stupid MP3 the phone plays while the screen says 'Quietly Brilliant'), HTC oh-so-helpfully restores them for me at the next cold boot, whether or not there's any network access. I'd love to install Cyanogenmod, but there's no fully functional ROM available for my phone.

Re:

[emil]

Try installing zero-size files of the same name. Set the permissions to 000, and apply the immutable bit (chattr +i). The chattr command is bundled with the SuperSU; it is also included with busybox.

In the ksh, applying the output redirection operator to a file without a preceding command will serve to truncate the target file (i.e.: > facebook.apk).

Re:

[emil]

Also try making the file as a directory, and/or installing it as the null device file. On my Android, based on the directory entry for /dev/null, I might install an alias for it as mknod c 1 3 /system/app/facebook.apk

Re:

[jenningsthecat]

Thanks emil, I'll try those things. I already set the perms to 000, and that didn't work, but I've never heard of the 'immutable bit' before - have to check that one out. Can I do it from Root File Explorer, or do I need to get to a terminal?

I'll try the folder idea first, as it's easy and I've previously used it on my Linux boxen to get rid of the 'Recently Used' file.

immutable

[emil]

You might try creating it as a directory first - you're trying to sabotage whatever script is running that restores these files, and the simplest sabotage is the best.

Here is the description of the immutable flag from the chattr man page:

A file with the 'i' attribute cannot be modified: it cannot be deleted or renamed, no link can be created to this file and no data can be written to the file. Only the superuser or a process possessing the CAP_LINUX_IMMUTABLE capability can set or clear this attri

Re:

[righteousness]

None of your suggestions would work unless the phone is modded to S-Off mode to remove the write protection. What actually happens in S-On mode, which is the default, is that any change to the system files is actually made to a copy-on-write virtual filesystem. This virtual filesystem is reset on every boot so you'd get back to where you started. So there's no script that is run to restore the files as you assumed because the files are never touched in the first place.

Re:

[macs4all]

If you wish to maintain a secure Android device, you must root it yourself. No one else can or will help you until you root.

So, IOW, for the 99.999999997% of Android Users that don't even know what "rooting" is, let alone how to do it, they are simply SOL until they purchase an iPhone.

Very true...

[emil]

...and I hope the class action lawsuits provide a useful object lesson to the Android marketplace about the importance of security patches. The more vendor agony, the better at this point.

Re:

[Vitriol+Angst]

they are simply SOL until they purchase an iPhone.

I seem to remember reading that in the Android support manual.

Re:Root your device. Do not purchase locked device

[macs4all]

I'm sure the attention this will be receiving from the media will force the vendors to patch this. They wouldn't want a massive turnover to iPhone because they were too lazy to provide a simple patch,

How much would you like to lose on that bet?

Re:

[bemymonkey]

You can disable system apps in the last few Android versions. This doesn't uninstall them, but it does prevent them from running.

Re:

[macs4all]

Root your phone, and await a new set of /system/lib/libstagefright* files - Cyanogenmod will likely provide KitKat copies if they ever shirk their laziness long enough to deliver the final promised KitKat milestone.

So, what do you suggest for the 99.99999997% of the Android Users that wouldn't know how to "root your phone" or even what that means?

Oh, I know: They're just stupid LUsers that deserve to be pwned, right?

Re:

[CylanR77]

They just haven't been paying attention to their history lessons.

Outlook used to do the same sort of thing, with similar results: it would automatically display emails and certain attachments, and it turns out that some types of media or emails could have had malware embedded in them...

But hey, that was over ten years ago so surely this sort of problem could never come up again, right?

Re:

[arkane1234]

Nah, Hangouts is owned by Google, you're okay.

Re:How to Disable Stagefright?

[Anonymous Coward]

Please follow this guide to disable it:
1. Stand up
2. Take phone in hand
3. Take a few steps to the trash bin
4. Throw phone in trash bin

Re:How to Disable Stagefright?

[macs4all]

Please follow this guide to disable it:

1. Stand up
2. Take phone in hand
3. Take a few steps to the trash bin
4. Throw phone in trash bin

That was modded "Funny"; but it's actually True for the vast majority of Android Users.

Re:

[Tough Love]

There's an easier way. Just put the phone in airplane mode. Problem solved. (Some minor loss in functionality may occur, but you can never be too safe....)

No problem, it will still work fine as a bottle opener.

Re:How to Disable Stagefright?

[Anonymous Coward]

in build.prop, media.stagefright.enable-player=false

Can we confirm?

[emil]

What is the impact if other media.stagefright* entries are disabled? I see a long list.

Re:How to Disable Stagefright?

[Ukab the Great]

Imagining everyone who texts you in their underwear.

Re:

[wonkey_monkey]

What are the chances of someone texting me while I'm in their underwear?

-----------------------

Alternative reply: Way ahead of you.

Android versions prior to Jelly Bean, version 4.1

[Anonymous Coward]

"Android versions prior to Jelly Bean, version 4.1, representing roughly 100 million devices, have “inadequate exploit mitigations” that wouldn’t prevent Stagefright attacks over MMS."

You're welcome.

Re:

[itamihn]

This sounds far less than the 95% of Android devices stated in the article. It would affect 11% of users (http://developer.android.com/about/dashboards/index.html).

Re:

[dsparil]

Versions before 4.1 are extra vulnerable because stagefright has more privileges in those versions; I think the difference is that stage fright is sandboxed in 4.1+, but not in previous versions. So, 4.1+ is limited, an understatement, to unfettered access to the camera, microphone and storage barring the use of an additional exploit. 4.0- is totally screwed.

Re:

[jpyeck]

I interpreted this sentence to imply that these versions (prior to 4.1) can not even be PATCHED. Poorly worded to say the least.

Re:

[the_B0fh]

How can pre-Jelly Bean ~= 100 million devices?

This would mean post Jelly Bean ~= 1 billion devices?!?! Not possible.

Re:Android versions prior to Jelly Bean, version 4

[Anonymous Coward]

It's a mix of two factors:
1) Fixes are available for 4.1 and up, *but*
2) Virtually no phones have *received* the patch, because it has to flow through the manufacturer, and they simply don't *care* about updating any phone which isn't currently their flagship model.

Re:

[amicusNYCL]

How's that iPhone sounding about now?

Literally exactly the same that it sounded before this was announced. I'm going through my list of all of the reasons why I don't have an iPhone, and this announcement doesn't seem to have changed even a single one of those reasons.

Re:Android versions prior to Jelly Bean, version 4

[Karlt1]

The difference is that when Apple patches a security flaw, every semi-current iPhone user worldwide can install the patch and Apple usually patches the current version and one version back. For instance, the "goto fail" security patch that was released in March 2014 patched every phone back to iPhone 3GS in 2009 (patch for 6.x) and IOS 7.

Re:

[macs4all]

Google patched it back in April. The manufacturer's of the phone's are now responsible for providing it to you.

No, you mean the CARRIER'S are now "responsible" for providing it to you; since THEY are the final arbiters of what code runs in your phone.

iPhone isn't any faster. There were multiple exploits and problems that went for months until they made headlines.

1. There is no company called "iPhone". Just like there is no company called "Android".

2. Citation, please?

Plus with this information any user can root their phone and fix it.

No. With this information, some Slashdot readers can root their phone and fix it. For those who even HAVE a "rootable" Android phone, the vast majority wouldn't even know how to look up how to root their Android device, let alone be able to actually do it without

Re:

[tepples]

1. There is no company called "iPhone".

The legal name of the company is Apple Inc. It has the authority to update system software on iPhone and iPad brand devices. When people refer to "iPhone", they refer to the division of Apple responsible for iOS updates.

Just like there is no company called "Android".

A company called Google Inc. acquired a company called Android Inc. But there is no one entity with authority to update system software on devices. This is delegated to device manufacturers (for Wi-Fi-only tablets) or to carriers (for phones and tablets supporting cellular data service).

Re:

[exomondo]

Google patched it back in April. The manufacturer's of the phone's are now responsible for providing it to you.

That's the problem with the Android ecosystem, Google makes the code change but then the questions of how/when/if that will reach users remain unanswered. Yes Android is open source (well the AOSP is anyway) but Google has the Open Handset Alliance which enforces terms on its members so they can use Google's Android services and get early access to the source code. Part of this contract should be a well-defined mechanism and commitment for getting security updates to users.

When Apple puts out an update for

What benefit to announcing it?

[pz]

This group sounds like they acted reasonably and responsibly, letting Google know there was a problem, and submitting good patches to correct the issue.

If, now, there's some other fundamental impediment to distributing a correction to the bug that does not have to do with Google, but rather with the heaploads of cell phone manufacturers who use Google's code and who may or may not have the ability to distribute the fix, why should the vulnerability be made public? I don't see any apparent upside to the public good.

Re:

[Anonymous Coward]

Vendors like to sit on their hands when there's no direct incentive to do otherwise. Unless there's a deadline where "bad things happen", they'll sit on their hands forever. The public good is that it teaches the vendors that there's consequences to hand sitting.

Re:What benefit to announcing it?

[Bugler412]

Upside would be forcing carriers and OEMS to actually support their product in an ongoing fashion rather than quietly stopping updates shortly after releasing the device, as is the case with many lower end Android devices

Re:

[DarkOx]

Because if one person can find an exploit so can someone else. At some point you have to go public because other ways Hacking Team like business can just keep selling it as a zero day to all manor of bad actors and end users are left exposed.

At lease if you let the cat out of the bag individuals can decide to stop using their phone if they believe the liberty or safety may be threatened as result. At that point you may be exchanging some activist keeping his head attached to his neck for price of script k

Re:What benefit to announcing it?

[macs4all]

Even Apple is not immune to this. Their very expensive disposable shit is not supported forever, and god forbid should an exploit be found then.

NOTHING is supported "Forever". It is simply impractical to do so.

However, if you think the "Support" (or rather, complete lack thereof) that is given to nearly EVERY Android Device has even the SLIGHTEST resemblance to the Support given to iOS devices even several years old (my iPad 2 and iPhone 4s STILL receive OS Updates), you are simply delusional.

Re:

[sjames]

But the devices won't last forever, so that's not what is being asked of vendors. Support as long as the hardware can reasonably be expected to last in significant numbers is a much shorter period of time and probably not so much of an ask.

If they don't want to commit for that long, perhaps they should advertise their product as disposable.

Re:What benefit to announcing it?

[macs4all]

But the devices won't last forever, so that's not what is being asked of vendors. Support as long as the hardware can reasonably be expected to last in significant numbers is a much shorter period of time and probably not so much of an ask.

If they don't want to commit for that long, perhaps they should advertise their product as disposable.

Your point being?

Apple has hands-down the best track record of supporting less-than-current-generation mobile hardware. Even Google is dropping support for most of the past generations of NEXUS hardware; something they basically stated they wouldn't do.

And as for all the rest of the Android OEMs: Well, they should simply be ashamed of themselves, period.

Re:

[sjames]

Apple is the best of the bad, Google is slipping and breaking promises and as usual, the carriers are making squishy sounds in the slime pit.

But since the entire concept of the free market depends on well educated consumers, the FTC should make the market stronger by forcing them all to state the service life up front and stick to it. For the good of the market.

Re:

[Tough Love]

Google already updated my (gen 1) Nexus 7, yesterday. Not bad. Google gets a gold star for being responsible.

But for my trusty HTC Vision (aka Desire Z aka T-Mobile G2) which has a Google logo on it... I guess Cyanogen. A pain. Google should have planned that out better and gets a black star for being stupid.

Re:

[Tough Love]

Ah, that would be my Nexus 4, not Nexus 7. The Nexus 7 doesn't have a phone number anyway, so Iit is most probably safe for the time being.

Re:

[cynicist]

My Nexus 4 is still getting the latest OS updates even though it is several years old, and the Nexus 5 is as well. The main reason the Galaxy Nexus isn't getting further support is likely because the chipset manufacturer has exited the market entirely.

Don't forget that Google does not make the hardware themselves, unlike Apple.

Re:

[Tough Love]

If vendors were even halfway responsible and ethical, the last OTA before dropping support would always always leave the rom unlocked for community maintenance. But vendors are not anywhere near halfway responsible and are more than halfway stupid.

Re:

[sjames]

Agreed.

Re:

[the_B0fh]

Even Apple is not immune to this. Their very expensive disposable shit is not supported forever, and god forbid should an exploit be found then. What are Appletards supposed to do ? Simple, fork over more Franklin's for the new shiny cell phone and the cycle continues on and on.

Apple supported the iPhones with up to 4 years of patches. Is there any company with better track record? Oh, you want support forever? You should get a phone with an annual support contract then.

Re:

[Bugler412]

even mass produced inflexible feature phones have exploits and vulnerabilities, just not as widely abused or as powerful

Re:

[Shakrai]

My Western Electric Model 1500 [telephonearchive.com] begs to differ.

Re:

[Blaskowicz]

Mine doesn't have a web browser, or even MMS.
It's still a tiny computer (has USB, SD, FM) and *maybe* it can be messed with, but the easier way would be to take a JTAG to it after stealing it from me somehow.

Re:

[mwvdlee]

I don't see any apparent upside to the public good.

If vulnerabilities would never be publically exposed, it would remove incentive to fix the vulnerabilities.
Companies generally don't like to spend money fixing problems that they could far more cheaply deny.
The public good of "public disclosure" is that it makes companies accountable for their (in)actions.

Re:What benefit to announcing it?

[zarmanto]

... the heaploads of cell phone manufacturers who use Google's code and who may or may not have the ability to distribute the fix...

Faulty premise: The issue isn't that they do not have the ability to distribute fixes; it's that they each have different levels of corporate red tape, preventing the expeditious distribution of these fixes. That's been an ongoing problem in the Android market for years, now. Thus, the benefit of this reveal is that, when an exploit hits the wild (and it would have with or without this announcement) these researchers (and Google) can all respond to outraged customers by saying, "Don't blame me! I did my part!" and point their fingers out to the carriers.

Google dropped the ball being too permissive

[Anonymous Coward]

If Windows or Linux or Unix or any other manufacturer of an operating system had put the ability and responsibility for patching the OS in the hands of the device manufacturers or the ISPs or anybody else, they would all have the same problem that Android is suffering.

Android gets tarnished, not because Google is lax in the updates, but because Google allowed the carriers/device manufacturers to take ownership for patching devices. At least MSFT was smart enough not to leave that up to Dell, Acer, Compaq, HP, etc.

Google should draw a line in the sand and say going forward they will issue the patches and the carriers have to enable that on new devices or they can't play with Android toys.

Re:

[Anonymous Coward]

Thats not how open source works though. You cannot force downstream projects to pull upstream fixes.

Re:

[macs4all]

Thats not how open source works though. You cannot force downstream projects to pull upstream fixes.

Like Android is Open Source, anyway. Just TRY to get ALL the Source for your nice Galaxy 6.

Re:

[the_B0fh]

Do you even understand what open source is? Just means source is available. Nothing to do with whether you can pull fixes, etc.

And Google can force them because the manufacturers have signed an agreement with Google.

Re:

[0123456]

Except Google don't even keep updating their own devices. Last I heard, it sounded like they're tossing several Nexus devices out the window with Android M.

Much as I hate to do so, I'll be replacing my Nexus 7 with an iPad when Google obsolete it. I'm sick of Android's hopeless lack of security, lack of permission controls, and lack of updates.

Re:

[0123456]

Enjoy getting updates that cripple your device while still being vulnerable to web/etc based root vulnerabilities.

Just like Android, then.

Except you can keep installing the updates until the device is simply too outdated to run them.

Re:

[Tough Love]

At least MSFT was smart enough not to leave that up to Dell, Acer, Compaq, HP, etc.

Well... but Microsoft's devices are still the ones that regularly end up so infested with malware they aren't usable at all, except perhaps for malware distribution. Maybe not the best model to emulate.

Re:

[cliffjumper222]

Having worked for a phone manufacturer, the biggest red tape of all is the complete lack of budget to pay for maintaining software on a device that has been sold and is generating no revenue after that point. The only companies that make $'s are the carriers, the app sellers and Google. The carriers can and do twist the arm of OEM's to keep SW updated, but I've never heard of a carrier willing to pay a maintenance fee to OEM's for this. Anyone else know if this happens?

Re:

[macs4all]

Having worked for a phone manufacturer, the biggest red tape of all is the complete lack of budget to pay for maintaining software on a device that has been sold and is generating no revenue after that point. The only companies that make $'s are the carriers, the app sellers and Google. The carriers can and do twist the arm of OEM's to keep SW updated, but I've never heard of a carrier willing to pay a maintenance fee to OEM's for this. Anyone else know if this happens?

Funny; Apple seems to do it just fine (yes, yes: only to a point, of course). But that's because they were smart enough to retain control of their product; rather than allowing every downstream "partner" to stick their grimy little hands (and grimy code) into the codebase.

Wow! An OEM actually having a say about what code runs in their products... What a concept!!!

Re:What benefit to announcing it?

[brunes69]

I disagree. It will put pressure on all the cell phone manufacturers and carriers to stop dragging their feet and release updates in a timely fashion.

This way Google and the group can say "we warned you" if a bunch of Verizon Samsung customers get exploited because Verizon would not allow the release to be published. No carrier wants that kind of news item.

Re:

[Overzeetop]

Verizon doesn't give a rat's ass. You want a fixed phone, come by a new one you fucking turd. Oh, and pay more for the service because fuck you. .

To those who believe that when they paid $200 for a phone as a guarantee for being able to pay $600-1000/yr for service: Well, in the immortal words of their spokesperson, "Pray I do not alter [the deal] any further"

Re:

[jo_ham]

Since Google has patched the exploit in the main Android distribution, the announcement is to "encourage" OEMs who haven't yet pushed that fix to still-vulnerable devices.

Re:

[macs4all]

If, now, there's some other fundamental impediment to distributing a correction to the bug that does not have to do with Google, but rather with the heaploads of cell phone manufacturers who use Google's code and who may or may not have the ability to distribute the fix, why should the vulnerability be made public? I don't see any apparent upside to the public good.

Now, if the shoe was on the other foot, and the vulnerability was in iOS instead, would you be of the same opinion?

And I'm sorry, if you have the resources of a cellphone manufacturer, then you DO have the resources to distribute a fix, sorry.

value on black market

[edxwelch]

So, remote execution vunerbility on nearly 1 billion devices...
I wonder how much they would have made if they had sold it on the black market, instead of telling Google about it?

How to fix it.

[Anonymous Coward]

Please give me your phone numbers so I can text you the fix for this issue.

Re:How to fix it.

[JBallz]

867-5309

Re:

[vettemph]

I got it.

You joke, but maybe this is what needs doing

[PeterM from Berkeley]

It's questionable ethics to fix a security flaw for someone by hacking into their system to fix it, but it DOES seem preferable to have a white-hat text patches out to everyone prior to exploit by a bad actor, especially if the fix is relatively simple and low-risk.

Better yet would be if the vendors just took care of it, of course, but given their lack of motivation and alacrity.....

--PM

Re:

[Qzukk]

Better yet would be if the vendors just took care of it, of course, but given their lack of motivation and alacrity

Perhaps the first step could be to hack the execs' phones and make them send text messages out to all the employees telling them that this patch needs to be pushed ASAP.

Re:

[Lord Duran]

And who would compensate me for time and money lost when the white-hat "fix" bricks my phone out of the blue?

NuPlayer

[brunes69]

It is unclear to me from these articles or any research I was able to do, if you are vulnerable to this exploit if you use Lollipop which uses NuPlayer by default, not Stagefright.

Re:

[IamTheRealMike]

Don't worry, NuPlayer is sure to have its own unique collection of buffer overflows!

Are you safe if you turn off your data plan?

[GoodNewsJimDotCom]

I have my data plan turned off. When I receive multimedia texts, it receives nothing but a message prompting me to download it, but it doesn't actually download anything.

Re:

[macs4all]

Don't visit websites, don't play any games that display ads, don't ever download multimedia texts (they download via wifi as well) Essentially your smartphone cannot be a smartphone safely until this is patched.

My iPhone can.

Android in a car?

[used2win32]

We see reports here is exploits like this or RSC Android last week ( Link [slashdot.org]), the reports more than 99% of all mobile malware targeting Android (Link [google.com]) etc., and it makes me wonder... Why would anyone trust a vehicle running Android?

If your phone stops working you can get another one (less than 1% of mobile malware targets Apple iOS, Windows and Blackberry combined), if your car stops working or gets hacked, it can kill you. Just wait until the first time the brakes are not available until you pay the ranso

Unpaid Blackberry shill...

[Rigel47]

Yep, gonna be that annoying SoB and just make note that my BlackBerry z10 has had no ridiculous remote exploit vulnerabilities like this, has the worlds best messaging platform (BlackBerry Hub), awesome battery life, a rock-solid OS that multi-tasks like a dream. And it can run most all Android apps (though they are sandboxed to prevent their many flaws from compromising the rest of the system).

Now bring on the BB bashing!

Re:

[Anonymous Coward]

Now bring on the BB bashing!

Not really much fun picking on you and the three other BB users around here...

How does this differ from installing FB client?

[See Attached]

Who hasn't given up any expectation privacy when installing apps that want to pull your contact list, accounts, bloody everything? Then on the logistics front: the play store provides updates to hangout. Why would vendor (ex: Samsung, Verizon, Motorola) need to provide a patch? Is this core functionality the issue? Would seem the next time Play store wants to update Hangouts, in goes the patch. Is this just -another- slow press day when we are all supposed to be afraid, and pay attention to the media?

Re:

[mr_mischief]

The vulnerability isn't in Hangouts. It's in Stagefright, which is a media library. Hangouts is only important here because it uses Stagefright in a way that exacerbates the issue. You can't fix Stagefright by updating Hangouts. You have to update Stagefright, which is part of the OS rather than part of an app.

Re:

[See Attached]

Ok, thanks for the clarification. Sounds like an FTC issue then... as we are paying our carriers to provide service and support. Thats the expectation anyway. Is the real-world fix then to root the phone, delete stagefright libraries, while we wait for this long suspected vulnerability to get fixed by our carrier? This is a long recognized issue, shame on the Android Ecosystem for not having a solution now that day 1 is upon us. What do we lose if we root/delete the stagefright libraries? All multimed

Re:

[alanxyzzy]

What do we lose if we root/delete the stagefright libraries?

On my Nexus 7 tilapia / Cyanogenmod, 2015-07-26 snapshot I believe, I tried
su -
mount -o remount,rw /system
cd /system/lib
mkdir sf.bak
mv libstagefright* sf.bak

Tried a couple of apps, seemed OK, so re-booted.

Hung on the boot spinner, didn't get as far as prompting to decrypt the user partition

Mitigation

[XXeR]

"There are some mitigations, for example, in Google Hangout settings, a user is able to request that MMS messages are not automatically downloaded."

Source: https://threatpost.com/android... [threatpost.com]

Re:

[macs4all]

"There are some mitigations, for example, in Google Hangout settings, a user is able to request that MMS messages are not automatically downloaded."

Source: https://threatpost.com/android... [threatpost.com]

What about the setting that keeps MMS messages from being accidently downloaded? Where's that setting?

Oh, wait...

A bunch of people...

[Chris Katko]

A bunch of people here are all saying "vendors don't give a crap.", but I got a nag screen for a security update a few days ago on my Samsung S5, and if that addresses this issue, then they fixed it before I even knew there was a problem.

Re:

[Zanadou]

Nexus 7, original (2012) version?

I'm on Gingerbread, so...

[Qzukk]

I'm pretty fucked if anyone wants to pwn my Sprint HTC Evo 4G.

Re:

[steveg]

Where did you hear that Lollipop was unaffected or that *any* non-stock AOSP ROMs are unaffected?

According to the article, there have been *some* mitigation features in all versions Jellybean and later, but that even the Nexus 6 with the latest firmware has only blocked *some* of the vulnerabilities.

Re:

[cant_get_a_good_nick]

Old versions of Android are not only affected, but less sandboxed. Android phones don't get updates that often. There are huge numbers of phones 4.x, much less Lollipop.

Re:

[macs4all]

I will never get anything other than a NEXUS !!!!

Hopefully not a NEXUS 5; because the Googles aren't fixing that, either.

Re:

[cant_get_a_good_nick]

not quite what you meant, but a tweet of a malicious video can do this.

Mild irony if Google becomes a vector for pwning android phones with bad videos. If I was a youtube engineer, i'd be working overtime to create a filter for bad filters.

Re:

[Tough Love]

If you own an old one you are SOL. HTC typically provides a few OTA updates per model.