Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
Get HideMyAss! VPN, PC Mag's Top 10 VPNs of 2016 for 55% off for a Limited Time ×
Android Security

950 Million Android Phones Can Be Hijacked By Malicious Text Messages 120

techtech writes: According to security firm Zimperium a flaw called "Stagefright" in Google's Android operating system can allow hackers take over a phone with a message even if the user doesn't open it. The vulnerability affects about 950 million Android devices. In a blog post Zimperium researchers wrote: "A fully weaponized successful attack could even delete the message before you see it. You will only see the notification. These vulnerabilities are extremely dangerous because they do not require that the victim take any action to be exploited. Unlike spear-phishing, where the victim needs to open a PDF file or a link sent by the attacker, this vulnerability can be triggered while you sleep. Before you wake up, the attacker will remove any signs of the device being compromised and you will continue your day as usual—with a trojaned phone."
This discussion has been archived. No new comments can be posted.

950 Million Android Phones Can Be Hijacked By Malicious Text Messages

Comments Filter:
  • idiots (Score:5, Informative)

    by bws111 ( 1216812 ) on Monday July 27, 2015 @06:14PM (#50193421)

    Hey morons, you already posted this TODAY.

    • Re:idiots (Score:5, Funny)

      by Ed Tice ( 3732157 ) on Monday July 27, 2015 @06:21PM (#50193487)
      Probably a proof-of-concept exploit that causes the editors to post dupes when they receive the payload!
    • by msauve ( 701917 )
      The first article isn't even gone from the front page yet. /. "editors" strike again.
    • Hey morons, you already posted this TODAY.

      Piece of shit Windows 10 comes out in a couple days. Some obscure-wtf-bullshit site zimperium(?!) posts on their own blog. So now it's the end of the world. All Androids are fucking rooted while you slept last night. Aw shit. Damn. This is supposedly because of vulnerable MMS video lag prevention features in "stagefright libraries".

      FUD. 2x dupe on Slashdot raises the credibility eyebrow. c|net has had zero credibility with me for many years.

      http://www.digitaltrends.com/mobile/android-stagefright-mms

    • If editors don't read Slashdot itself maybe they should Google their own website. I mean a simple search like: "Android Malicious Text url:slashdot.org" returns both articles.

      If editors google what they are about to post they can outsourse the job of reading the very site where they manage content.

  • by OutOnARock ( 935713 ) on Monday July 27, 2015 @06:15PM (#50193425)
    95% of them will never be patched........thanks for all the fragmentation.....
    • Re: (Score:2, Informative)

      by ne0n ( 884282 )
      CM and nearly all custom roms are immune and Lollipop is completely unaffected. Next time don't buy a carrier device.
      • by Mashiki ( 184564 )

        CM and nearly all custom roms are immune and Lollipop is completely unaffected. Next time don't buy a carrier device.

        Some of us don't have a choice, some of us still don't have a choice. Welcome to Canada.

        • by caseih ( 160668 )

          What are you talking about? What does being in Canada have to do with it? I have rooted, unlocked, and installed CM on several devices including my Virgin Mobile Galaxy S1 and a Kudo Galaxy S2. And all the carriers here allow you to bring your own device if you wish. I brought my unlocked S2 to Telus.

          • A voice of reason.

            Similar setup here, my wife just switched to Fido after unlocking her HTC One. The plan is $15 cheaper if you bring your own device.
      • Re: (Score:3, Informative)

        by Anonymous Coward

        That is completely wrong. The blog post by the folks who discovered the vulnerability even includes screencaps of Lollipop 5.1.1 being taken over via MMS. Not sure where you got the idea that Lollipop and CM are unaffected.

    • 95% of them will never be patched........thanks for all the fragmentation.....

      EXCEPT 5.0 Lollipop, because Lollipop uses a different media framework. Which I'm sure has its own issues, but thankfully, even a year after release, its marketshare is tiny enough that it doesn't matter.

      Even worse, it's a bug inside the OS itself, so it's not like Google can actually fix the problem like they have using Google Services Framework.

      It can only be fixed by a rooted device or a software update to replace the broken library.

      • by aNonnyMouseCowered ( 2693969 ) on Monday July 27, 2015 @08:56PM (#50194313)

        "It can only be fixed by a rooted device or a software update to replace the broken library."

        "Rooting" (or allowing runtime access to root-level functions) is unnecessary for fixing any Android OS-level problem. However an unlocked bootloader will allow you to install an unofficial update or patch (unfortunately also allowing you to install a malware). A "rooted" device is actually even more of a security risk, especially if you have to trust a closed-sourced "superuser" binary.

        Note that I distinguish between "rooted" Android systems that allow you to gain root level access on demand and those setups that allow for off-line root access via special recovery or debug modes that require a reboot and so is not available when running the system normally.

        • by emil ( 695 ) on Tuesday July 28, 2015 @10:27AM (#50196681)

          When the critical Samsung keyboard exploit hit the news, I was able to do this (and you were not):

          mount -o remount,rw /system
          cd /system/app
          mv SamsungIME.apk SamsungIME.banished
          scp cyanogen:/tmp/LatinIME.apk .
          cd
          mount -o remount,ro /system
          reboot

          I have no intention of relinquishing my ability to repair this vendor-inflicted brain damage because of your foolish misconceptions.

      • by Anonymous Coward

        95% of them will never be patched........thanks for all the fragmentation.....

        EXCEPT 5.0 Lollipop, because Lollipop uses a different media framework. Which I'm sure has its own issues, but thankfully, even a year after release, its marketshare is tiny enough that it doesn't matter.

        Even worse, it's a bug inside the OS itself, so it's not like Google can actually fix the problem like they have using Google Services Framework.

        It can only be fixed by a rooted device or a software update to replace the broken library.

        This is completely wrong: 5.0 and 5.1 all include stagefright library. Nuplayer has been around for awhile and is a counterpart to Stagefright. Android has been moving toward deprecating Stagefright and replacing it with Nuplayer. In 5.0 this started with the inclusion options to allow manufactures to use nuplayer or stagefright as the default. Since nuplayer is still considered experimental there are been compatibility issues so most manufacturers shipped their 5.0 and 5.1 builds with the default stil

    • If it can be exploited remotely for root access then it can be patched remotely by a non-vendor. I guess we will see stagefright patch apps start appearing over the next few days.

      Obviously, nobody can rely on the lame-ass vendors, even if they had their heart in it.

  • No Android.
    No smartphone.
    No cellphone.
    My telephone's an old fashion really dumb land line. One thing you gotta love about being behind the times is not getting hacked.

    • by AuMatar ( 183847 )

      If you never use any computer you're even safer. I suggest you throw out the one you typed this on.

      • by msauve ( 701917 )
        "If you never use any computer you're even safer. I suggest you throw out the one you typed this on."

        I'd think his public library would be upset by that.
      • by pubwvj ( 1045960 )

        No, this article was specific to the Android. Try to stay on topic no matter how your mind wanders...

    • Pfft. I'm outside your house clipping my orange lineman's handset into your Bell box, so I can listen to all your calls.

      Wait until I tell the guys at 2600 Magazine about this! er33t h4x!

      • by pubwvj ( 1045960 )

        Have fun. I hope you don't get too bored since I almost never use the phone and I never say anything on it that matters... Virtually all of my communications are via email - which is an open postcard so nothing interesting there either - and email is not hackable. It is the Android system that is the subject of the hacking in the original poster's article or perhaps you didn't read that. That's why candles, tin cans, old dial up phones have an advantage - they're simply not remotely hackable. So hook into t

    • My telephone's an old fashion really dumb land line...

      Oh I know, right? I keep a couple tin cans and some string around in case things get really bad.

    • One nice thing about using candles is not having to worry about power failures.

      (I don't get this attitude; depriving yourself of cool things so you don't have to deal with the inconvenience of those things breaking?)

      • by pubwvj ( 1045960 )

        Ah, but there's the rub. You think the Android phone a cool new thing. What Smartphones really are is gussied up old tech (voice) with a new suit that makes them more vulnerable. I very rarely use voice phone. I use email which is far faster and more efficient. I also don't communicate things via email that are worth "listening" into so the fact that email is a postcard is not an issue either. In either case, you can't hack my email the way the Android phone hack is being done - that was the point of the or

  • by Anonymous Coward

    http://it.slashdot.org/story/15/07/27/1416257/stagefright-flaw-compromise-android-with-just-a-text

  • "A fully weaponized successful attack could even delete the message before you see it."

    A fully weaponized attack could take screenshots and camera pictures of you tossing off at Wikiarmpits.

  • And this is why I use a $9 phone that has support for nothing other than voice calls and plaintext SMS. Not only is it free from the effects of such exploits but the battery also lasts two weeks between charges, it fits very nicely in even the smallest pocket and doesn't distract me when I should be working or spending time with friends and family.

    I only upgraded to this phone because I found the cranking handle on the side of my old phone was snagging on my pocket and the operator was sometimes very slow

    • by DamonHD ( 794830 )

      Surely the trailing wire back to the exchange was a bigger problem?

      Rgds

      Damon

    • by sims 2 ( 994794 )

      But does it work on verizon? Most of the cheap basic phones ive seen are gsm only.

      • Would you want it to work on Verizon? I mean, they're advertiser-friendly unique-id headers alone should make you swear them off.

        • by sims 2 ( 994794 )

          First they do actually let you turn of the uuid thing now.
          I turned it off same day they added the option to do so.
          Still annoyed about that but aside from switching to a less reliable provider not a lot else I can do.

          Second I don't actually do a lot of browsing on my Samsung convoy 3 the ssl warning in combination with the small screen makes it a serious pita just to look up the weather.

          Third att/sprint/tmobile all have pretty crappy service by me although att has gotten much better in my area in the last co

    • And this is why I use a $9 phone that has support for nothing other than voice calls and plaintext SMS. Not only is it free from the effects of such exploits but the battery also lasts two weeks between charges, it fits very nicely in even the smallest pocket and doesn't distract me when I should be working or spending time with friends and family.

      You insensitive fucking clod, my wife read that, got all excited, and left me. Said something about wanting to have your babies. You must get that a lot though.

      Slashdot kooks are getting like that crazy uncle who brags about not having email. Or a computer.

  • MMS vector (Score:5, Informative)

    by xarragon ( 944172 ) on Monday July 27, 2015 @07:07PM (#50193783)

    TFA (requires obnoxious CAPTCHA just to read, wtf) makes it clear the payload is inside a media file attached to an MMS. Myself I do not use MMS since it seems to require OTA data to download the MMS payload, which is exceedingly expensive on my current prepaid plan. Old phones are pretty likely to be used like this; voice only, data only over wifi, so it might lessen the impact. Anyways, I am on Lollipop.

  • When I buy a new phone, it generally involves a two year contract. Even without a contract, it's reasonable to expect that a new phone will be supported for a couple of years. For phones where the carrier controls the software, like Android, that seems to be an implicit part of the service that the carrier is contracted to provide. I don't agree with lawsuits for buggy code, provided that there isn't negligence involved. However, when the vendor and carrier are aware of a problem and fail to provide a solut

    • I recognize that this doesn't put lives at risk

      System-corrupting malware installed onto an on-call doctor's phone via this exploit, causing a boot-loop so no calls or messages can get through.

  • If the data plan is turned off, you can't get any multimedia. It isn't an optimal solution, but turning data off will protect you, right?
  • Is the patch available?

    • or never configure it in the first place to work.

      that's your fix.

      and slashdot editors: MMS IS NOT SMS SO FUCK YOU SLASHDOT EDITOR. it's not even remotely same technlogy.

      mms is vulnurable? duh. how about sharing the image preview vuln(presumably) that's actually used since that has much more to it than just mms. but that mms implementation is exploitable is quite a bit less fatal/interesting than sms vuln.

      besides than that I'm pretty fucking sure that 950 million android phones (total androids out there) don

  • It'll give you a warning before stagefright is used

    https://github.com/WhisperSyst... [github.com]
    you can find SMSSecure on f-droid

    Also check to make sure hangouts isn't using mms (just to be on the safe side)

  • CyanogenMod (Score:5, Informative)

    by Zanadou ( 1043400 ) on Tuesday July 28, 2015 @01:33AM (#50195097)

    Concerning CyanogenMod, this was posted to their Facebook page [facebook.com] a few hours ago:

    Recent Stagefright issues

    The following CVE's have been patched in CM12.0 and 12.1 nightlies for a couple weeks. If you haven't updated already, we strongly encourage you to do so.

    CM11 will see these updates hit as part of out of band fixes this weekend (these releases occur weekly).

    CVE-2015-1538
    CVE-2015-1539
    CVE-2015-3824
    CVE-2015-3826
    CVE-2015-3827
    CVE-2015-3828
    CVE-2015-3829

    We are actively following all the DefCon events and announcements and will be keeping tabs on other disclosures that could impact CM and its derivatives.

    ï

  • Seriously, do people really use MMS? Just disable MMS (if have enabled it) and you are safe as it seems.
    What is the purpose of MMS? Paying 100x more to send the same contents which could be sent using an email?

  • The set of hardware capabilities available on a smartphone has more or less stabilized on phones these days. Which means that the kernel API to the hardware could be frozen. Which means that everything above the kernel level could be OTA-upgraded (to stock, at least -- carrier customizations should be installed as an app and/or theme on top of the stock firmware anyway). Why in 2015 is the entire platform not hot-upgradeable? The inability to do so is just plain stupidity. (Memory limits / CPU speed etc. do
  • It's not a Text message (SMS). It's an MMS message. Different technology
  • "According to security firm Zimperium a flaw called "Stagefright" in Google's Android operating system"

    Um, the flaw isn't called stagefright - the flaw is in a component called stagefright!

The system was down for backups from 5am to 10am last Saturday.

Working...