Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Android Security

'Stagefright' Flaw: Compromise Android With Just a Text 203

An anonymous reader writes: Up to 950 million Android phones may be vulnerable to a new exploit involving the Stagefright component of Android, which lets attackers compromise a device through a simple multimedia text — even before the recipient sees it. Researchers from Zimperium zLabs reported the related bugs to Google in April. Google quickly accepted a patch and distributed it to manufacturers, but the researchers say they don't think the manufacturers have yet passed it on to most consumers.

"The weaknesses reside in Stagefright, a media playback tool in Android. They are all "remote code execution" bugs, allowing malicious hackers to infiltrate devices and exfiltrate private data. All attackers would need to send out exploits would be mobile phone numbers, Drake noted. From there, they could send an exploit packaged in a Stagefright multimedia message (MMS), which would let them write code to the device and steal data from sections of the phone that can be reached with Stagefright's permissions. That would allow for recording of audio and video, and snooping on photos stored in SD cards. Bluetooth would also be hackable via Stagefright."
This discussion has been archived. No new comments can be posted.

'Stagefright' Flaw: Compromise Android With Just a Text

Comments Filter:
  • by Anonymous Coward

    How can Stagefright be uninstalled / disabled?

    • How can Stagefright be uninstalled / disabled?

      Buy a new phone with a version that includes the patches to begin with.

      • by emil ( 695 ) on Monday July 27, 2015 @11:09AM (#50190643)

        The problem appears to lie in one of the files /system/lib/libstagefright*

        NPR is saying [npr.org] that Google Hangouts makes the problem worse:

        The messaging app Hangouts instantly processes videos, to keep them ready in the phone's gallery... this setup invites the malware right in. If you're using the phone's default messaging app, he explains, it's "a tiny bit less dangerous." You would have to view the text message before it processes the attachment. But, to be clear, "it does not require in either case for the targeted user to have to play back the media at all," Drake says.

        It would appear prudent to uninstall Google Hangouts. If you can disable MMS with your carrier, do so, otherwise do not look at text messages from originators that you do not know - delete the conversations.

        Carriers are unlikely to patch (look at SamsungIME.apk if you think OEMs or carriers will lift a finger to help us).

        Root your phone, and await a new set of /system/lib/libstagefright* files - Cyanogenmod will likely provide KitKat copies if they ever shirk their laziness long enough to deliver the final promised KitKat milestone.

        • by GNious ( 953874 ) on Monday July 27, 2015 @11:33AM (#50190847)

          If you can disable MMS with your carrier, do so, otherwise do not look at text messages from originators that you do not know - delete the conversations.

          While seems like generally prudent step, in this case...

          lets attackers compromise a device through a simple multimedia text — even before the recipient sees it.

        • "Root your phone, and await a new set of /system/lib/libstagefright* files"

          I'm actually kind of hoping this is a viable option. I dread the idea of re-installing my phone from scratch, but a drop-in replacement for the affected files would certainly be welcome.

          • by drinkypoo ( 153816 ) <drink@hyperlogos.org> on Monday July 27, 2015 @05:24PM (#50193507) Homepage Journal

            I'm actually kind of hoping this is a viable option. I dread the idea of re-installing my phone from scratch, but a drop-in replacement for the affected files would certainly be welcome.

            Probably not. libstagefright is, nominally, per-GPU. Every GPU vendor would have to roll their own. And then it would have to be tested... It's just not going to happen at all. Everyone is going to say "time to move on" and blame the vendors. The vendors will blame the GPU makers...

        • It would appear prudent to uninstall Google Hangouts.

          Prudent but not always possible. On some versions of Android, Google Hangouts is a system app part of the os image. It can not be uninstalled. Only updates can be uninstalled, which is not helpful in this case.

          This is not the case of my old phone. It runs Gingerbread and Hangouts did not exist when Gingerbread came out. It also not true of my new phone. I'm running a third party "debloated" version of Lollipop that omits Hangouts and other not-necessarily desired apps from the image.

          • by emil ( 695 ) on Monday July 27, 2015 @01:01PM (#50191625)

            If you have rooted your device, you can remount /system in read-write mode, and from there you can remove any file in /system/app (thus removing Google Hangouts if it was installed in this location).

            Google, the OEMs, and the carriers have formally abdicated any security stewardship for Android (case in point - Towelroot).

            If you wish to maintain a secure Android device, you must root it yourself. No one else can or will help you until you root.

            • Even root access won't save my HTC Desire 510. Whenever I mount the system as read-write and remove files, (such as Facebook and Twitter .apk and .odex files), or even change files, (such as that stupid MP3 the phone plays while the screen says 'Quietly Brilliant'), HTC oh-so-helpfully restores them for me at the next cold boot, whether or not there's any network access. I'd love to install Cyanogenmod, but there's no fully functional ROM available for my phone.

              • by emil ( 695 )

                Try installing zero-size files of the same name. Set the permissions to 000, and apply the immutable bit (chattr +i). The chattr command is bundled with the SuperSU; it is also included with busybox.

                In the ksh, applying the output redirection operator to a file without a preceding command will serve to truncate the target file (i.e.: > facebook.apk).

              • by emil ( 695 )
                Also try making the file as a directory, and/or installing it as the null device file. On my Android, based on the directory entry for /dev/null, I might install an alias for it as mknod c 1 3 /system/app/facebook.apk
                • Thanks emil, I'll try those things. I already set the perms to 000, and that didn't work, but I've never heard of the 'immutable bit' before - have to check that one out. Can I do it from Root File Explorer, or do I need to get to a terminal?

                  I'll try the folder idea first, as it's easy and I've previously used it on my Linux boxen to get rid of the 'Recently Used' file.

                  • by emil ( 695 )

                    You might try creating it as a directory first - you're trying to sabotage whatever script is running that restores these files, and the simplest sabotage is the best.

                    Here is the description of the immutable flag from the chattr man page:

                    A file with the 'i' attribute cannot be modified: it cannot be deleted or renamed, no link can be created to this file and no data can be written to the file. Only the superuser or a process possessing the CAP_LINUX_IMMUTABLE capability can set or clear this attri

                    • None of your suggestions would work unless the phone is modded to S-Off mode to remove the write protection. What actually happens in S-On mode, which is the default, is that any change to the system files is actually made to a copy-on-write virtual filesystem. This virtual filesystem is reset on every boot so you'd get back to where you started. So there's no script that is run to restore the files as you assumed because the files are never touched in the first place.
            • Re: (Score:3, Insightful)

              by macs4all ( 973270 )

              If you wish to maintain a secure Android device, you must root it yourself. No one else can or will help you until you root.

              So, IOW, for the 99.999999997% of Android Users that don't even know what "rooting" is, let alone how to do it, they are simply SOL until they purchase an iPhone.

          • You can disable system apps in the last few Android versions. This doesn't uninstall them, but it does prevent them from running.

        • Root your phone, and await a new set of /system/lib/libstagefright* files - Cyanogenmod will likely provide KitKat copies if they ever shirk their laziness long enough to deliver the final promised KitKat milestone.

          So, what do you suggest for the 99.99999997% of the Android Users that wouldn't know how to "root your phone" or even what that means?

          Oh, I know: They're just stupid LUsers that deserve to be pwned, right?

    • by Anonymous Coward on Monday July 27, 2015 @11:08AM (#50190627)

      Please follow this guide to disable it:
      1. Stand up
      2. Take phone in hand
      3. Take a few steps to the trash bin
      4. Throw phone in trash bin

      • by macs4all ( 973270 ) on Monday July 27, 2015 @01:20PM (#50191803)

        Please follow this guide to disable it:

        1. Stand up
        2. Take phone in hand
        3. Take a few steps to the trash bin
        4. Throw phone in trash bin

        That was modded "Funny"; but it's actually True for the vast majority of Android Users.

    • by Anonymous Coward on Monday July 27, 2015 @11:08AM (#50190631)
      in build.prop, media.stagefright.enable-player=false
    • by Ukab the Great ( 87152 ) on Monday July 27, 2015 @11:53AM (#50191035)

      Imagining everyone who texts you in their underwear.

      • What are the chances of someone texting me while I'm in their underwear?

        -----------------------

        Alternative reply: Way ahead of you.

  • by Anonymous Coward on Monday July 27, 2015 @10:53AM (#50190501)

    "Android versions prior to Jelly Bean, version 4.1, representing roughly 100 million devices, have “inadequate exploit mitigations” that wouldn’t prevent Stagefright attacks over MMS."

    You're welcome.

    • This sounds far less than the 95% of Android devices stated in the article. It would affect 11% of users (http://developer.android.com/about/dashboards/index.html).

      • by dsparil ( 844576 )
        Versions before 4.1 are extra vulnerable because stagefright has more privileges in those versions; I think the difference is that stage fright is sandboxed in 4.1+, but not in previous versions. So, 4.1+ is limited, an understatement, to unfettered access to the camera, microphone and storage barring the use of an additional exploit. 4.0- is totally screwed.
    • by jpyeck ( 1368075 )
      I interpreted this sentence to imply that these versions (prior to 4.1) can not even be PATCHED. Poorly worded to say the least.
    • How can pre-Jelly Bean ~= 100 million devices?

      This would mean post Jelly Bean ~= 1 billion devices?!?! Not possible.

  • by pz ( 113803 ) on Monday July 27, 2015 @11:00AM (#50190573) Journal

    This group sounds like they acted reasonably and responsibly, letting Google know there was a problem, and submitting good patches to correct the issue.

    If, now, there's some other fundamental impediment to distributing a correction to the bug that does not have to do with Google, but rather with the heaploads of cell phone manufacturers who use Google's code and who may or may not have the ability to distribute the fix, why should the vulnerability be made public? I don't see any apparent upside to the public good.

    • Re: (Score:2, Insightful)

      by Anonymous Coward

      Vendors like to sit on their hands when there's no direct incentive to do otherwise. Unless there's a deadline where "bad things happen", they'll sit on their hands forever. The public good is that it teaches the vendors that there's consequences to hand sitting.

    • by Bugler412 ( 2610815 ) on Monday July 27, 2015 @11:11AM (#50190659)
      Upside would be forcing carriers and OEMS to actually support their product in an ongoing fashion rather than quietly stopping updates shortly after releasing the device, as is the case with many lower end Android devices
      • by DarkOx ( 621550 )

        Because if one person can find an exploit so can someone else. At some point you have to go public because other ways Hacking Team like business can just keep selling it as a zero day to all manor of bad actors and end users are left exposed.

        At lease if you let the cat out of the bag individuals can decide to stop using their phone if they believe the liberty or safety may be threatened as result. At that point you may be exchanging some activist keeping his head attached to his neck for price of script k

    • by mwvdlee ( 775178 )

      I don't see any apparent upside to the public good.

      If vulnerabilities would never be publically exposed, it would remove incentive to fix the vulnerabilities.
      Companies generally don't like to spend money fixing problems that they could far more cheaply deny.
      The public good of "public disclosure" is that it makes companies accountable for their (in)actions.

    • by zarmanto ( 884704 ) on Monday July 27, 2015 @11:18AM (#50190733) Journal

      ... the heaploads of cell phone manufacturers who use Google's code and who may or may not have the ability to distribute the fix...

      Faulty premise: The issue isn't that they do not have the ability to distribute fixes; it's that they each have different levels of corporate red tape, preventing the expeditious distribution of these fixes. That's been an ongoing problem in the Android market for years, now. Thus, the benefit of this reveal is that, when an exploit hits the wild (and it would have with or without this announcement) these researchers (and Google) can all respond to outraged customers by saying, "Don't blame me! I did my part!" and point their fingers out to the carriers.

      • by Anonymous Coward on Monday July 27, 2015 @11:40AM (#50190919)

        If Windows or Linux or Unix or any other manufacturer of an operating system had put the ability and responsibility for patching the OS in the hands of the device manufacturers or the ISPs or anybody else, they would all have the same problem that Android is suffering.

        Android gets tarnished, not because Google is lax in the updates, but because Google allowed the carriers/device manufacturers to take ownership for patching devices. At least MSFT was smart enough not to leave that up to Dell, Acer, Compaq, HP, etc.

        Google should draw a line in the sand and say going forward they will issue the patches and the carriers have to enable that on new devices or they can't play with Android toys.

        • Re: (Score:2, Insightful)

          by Anonymous Coward

          Thats not how open source works though. You cannot force downstream projects to pull upstream fixes.

          • Thats not how open source works though. You cannot force downstream projects to pull upstream fixes.

            Like Android is Open Source, anyway. Just TRY to get ALL the Source for your nice Galaxy 6.

          • Do you even understand what open source is? Just means source is available. Nothing to do with whether you can pull fixes, etc.

            And Google can force them because the manufacturers have signed an agreement with Google.

        • by 0123456 ( 636235 )

          Except Google don't even keep updating their own devices. Last I heard, it sounded like they're tossing several Nexus devices out the window with Android M.

          Much as I hate to do so, I'll be replacing my Nexus 7 with an iPad when Google obsolete it. I'm sick of Android's hopeless lack of security, lack of permission controls, and lack of updates.

        • At least MSFT was smart enough not to leave that up to Dell, Acer, Compaq, HP, etc.

          Well... but Microsoft's devices are still the ones that regularly end up so infested with malware they aren't usable at all, except perhaps for malware distribution. Maybe not the best model to emulate.

      • Having worked for a phone manufacturer, the biggest red tape of all is the complete lack of budget to pay for maintaining software on a device that has been sold and is generating no revenue after that point. The only companies that make $'s are the carriers, the app sellers and Google. The carriers can and do twist the arm of OEM's to keep SW updated, but I've never heard of a carrier willing to pay a maintenance fee to OEM's for this. Anyone else know if this happens?

        • Having worked for a phone manufacturer, the biggest red tape of all is the complete lack of budget to pay for maintaining software on a device that has been sold and is generating no revenue after that point. The only companies that make $'s are the carriers, the app sellers and Google. The carriers can and do twist the arm of OEM's to keep SW updated, but I've never heard of a carrier willing to pay a maintenance fee to OEM's for this. Anyone else know if this happens?

          Funny; Apple seems to do it just fine (yes, yes: only to a point, of course). But that's because they were smart enough to retain control of their product; rather than allowing every downstream "partner" to stick their grimy little hands (and grimy code) into the codebase.

          Wow! An OEM actually having a say about what code runs in their products... What a concept!!!

    • by brunes69 ( 86786 ) <slashdot@keir[ ]ad.org ['ste' in gap]> on Monday July 27, 2015 @11:28AM (#50190805)

      I disagree. It will put pressure on all the cell phone manufacturers and carriers to stop dragging their feet and release updates in a timely fashion.

      This way Google and the group can say "we warned you" if a bunch of Verizon Samsung customers get exploited because Verizon would not allow the release to be published. No carrier wants that kind of news item.

      • Re: (Score:3, Insightful)

        by Overzeetop ( 214511 )

        Verizon doesn't give a rat's ass. You want a fixed phone, come by a new one you fucking turd. Oh, and pay more for the service because fuck you. .

        To those who believe that when they paid $200 for a phone as a guarantee for being able to pay $600-1000/yr for service: Well, in the immortal words of their spokesperson, "Pray I do not alter [the deal] any further"

    • by jo_ham ( 604554 )

      Since Google has patched the exploit in the main Android distribution, the announcement is to "encourage" OEMs who haven't yet pushed that fix to still-vulnerable devices.

    • If, now, there's some other fundamental impediment to distributing a correction to the bug that does not have to do with Google, but rather with the heaploads of cell phone manufacturers who use Google's code and who may or may not have the ability to distribute the fix, why should the vulnerability be made public? I don't see any apparent upside to the public good.

      Now, if the shoe was on the other foot, and the vulnerability was in iOS instead, would you be of the same opinion?

      And I'm sorry, if you have the resources of a cellphone manufacturer, then you DO have the resources to distribute a fix, sorry.

  • by edxwelch ( 600979 ) on Monday July 27, 2015 @11:28AM (#50190811)

    So, remote execution vunerbility on nearly 1 billion devices...
    I wonder how much they would have made if they had sold it on the black market, instead of telling Google about it?

  • by Anonymous Coward on Monday July 27, 2015 @11:30AM (#50190833)
    Please give me your phone numbers so I can text you the fix for this issue.
  • by brunes69 ( 86786 ) <slashdot@keir[ ]ad.org ['ste' in gap]> on Monday July 27, 2015 @11:33AM (#50190861)

    It is unclear to me from these articles or any research I was able to do, if you are vulnerable to this exploit if you use Lollipop which uses NuPlayer by default, not Stagefright.

  • I have my data plan turned off. When I receive multimedia texts, it receives nothing but a message prompting me to download it, but it doesn't actually download anything.
  • We see reports here is exploits like this or RSC Android last week ( Link [slashdot.org]), the reports more than 99% of all mobile malware targeting Android (Link [google.com]) etc., and it makes me wonder... Why would anyone trust a vehicle running Android?

    If your phone stops working you can get another one (less than 1% of mobile malware targets Apple iOS, Windows and Blackberry combined), if your car stops working or gets hacked, it can kill you. Just wait until the first time the brakes are not available until you pay the ranso
  • Yep, gonna be that annoying SoB and just make note that my BlackBerry z10 has had no ridiculous remote exploit vulnerabilities like this, has the worlds best messaging platform (BlackBerry Hub), awesome battery life, a rock-solid OS that multi-tasks like a dream. And it can run most all Android apps (though they are sandboxed to prevent their many flaws from compromising the rest of the system).

    Now bring on the BB bashing!
    • Re: (Score:2, Funny)

      by Anonymous Coward

      Now bring on the BB bashing!

      Not really much fun picking on you and the three other BB users around here...

  • Who hasn't given up any expectation privacy when installing apps that want to pull your contact list, accounts, bloody everything? Then on the logistics front: the play store provides updates to hangout. Why would vendor (ex: Samsung, Verizon, Motorola) need to provide a patch? Is this core functionality the issue? Would seem the next time Play store wants to update Hangouts, in goes the patch. Is this just -another- slow press day when we are all supposed to be afraid, and pay attention to the media?
    • The vulnerability isn't in Hangouts. It's in Stagefright, which is a media library. Hangouts is only important here because it uses Stagefright in a way that exacerbates the issue. You can't fix Stagefright by updating Hangouts. You have to update Stagefright, which is part of the OS rather than part of an app.

      • Ok, thanks for the clarification. Sounds like an FTC issue then... as we are paying our carriers to provide service and support. Thats the expectation anyway. Is the real-world fix then to root the phone, delete stagefright libraries, while we wait for this long suspected vulnerability to get fixed by our carrier? This is a long recognized issue, shame on the Android Ecosystem for not having a solution now that day 1 is upon us. What do we lose if we root/delete the stagefright libraries? All multimed
        • What do we lose if we root/delete the stagefright libraries?

          On my Nexus 7 tilapia / Cyanogenmod, 2015-07-26 snapshot I believe, I tried
          su -
          mount -o remount,rw /system
          cd /system/lib
          mkdir sf.bak
          mv libstagefright* sf.bak

          Tried a couple of apps, seemed OK, so re-booted.

          Hung on the boot spinner, didn't get as far as prompting to decrypt the user partition

  • "There are some mitigations, for example, in Google Hangout settings, a user is able to request that MMS messages are not automatically downloaded."

    Source: https://threatpost.com/android... [threatpost.com]

    • "There are some mitigations, for example, in Google Hangout settings, a user is able to request that MMS messages are not automatically downloaded."

      Source: https://threatpost.com/android... [threatpost.com]

      What about the setting that keeps MMS messages from being accidently downloaded? Where's that setting?

      Oh, wait...

  • A bunch of people here are all saying "vendors don't give a crap.", but I got a nag screen for a security update a few days ago on my Samsung S5, and if that addresses this issue, then they fixed it before I even knew there was a problem.

Top Ten Things Overheard At The ANSI C Draft Committee Meetings: (3) Ha, ha, I can't believe they're actually going to adopt this sucker.

Working...