Image
Android is by far the most dominant smartphone operating system in the world, and it has just been found to be vulnerable to a serious smartphone security flaw which allows devices to be hacked by simply sending them a text message.

About 80 percent of smartphones worldwide run Android, and just about all of those have a major vulnerability in their software, according to experts at Zimperium, a cybersecurity company specializing in mobile devices.

What makes this problem a gaping security hole is that the victims don't even need to be tricked into downloading or opening a bad file - attackers only need to send them a text message for the malware to take hold.

The issue stems from the way Android processes incoming text messages. Media playback software utilized by Android, called Stagefright, processes media files, such as images or video, sent to your device before you even open the message. Hackers can hide malware in those files, getting Stagefright to automatically unleash them onto your phone, thus giving attackers unfettered access to copy and delete data or use the camera, microphone, and GPS to track your every move.


Comment: Stagefright: Everything you need to know about Google's Android megabug
Where does the name come from?

"Stagefright" is the name of the media library—a portion of Android's open source code—in which the bugs were found. It's obviously a great bug name, too.

No lie. What does that media library do?

Stagefright—the library, not the bug—helps phones unpack multimedia messages. It enables Android phones to interpret MMS content (multimedia message service content), which can contain videos, photos, audio, text, as opposed to, say, SMS content (short message service content), which can contain only 160 characters. The bugs are in that library.

"This happens even before the sound that you've received a message has even occurred," Joshua Drake, a security researcher with Zimperium, told NPR. "That's what makes it so dangerous. [It] could be absolutely silent. You may not even see anything."

The issue affects any phone using Android software released in the last five years, according to Zimperium. That includes devices running Android's alphabetically-coded versions, Froyo through Lollipop, which together account for 95% of the operating systems being used on all android phones - or 950 million devices.

Zimperium said that it privately warned Google of the flaw on April 9, and even provided them with a fix. The company claims Google responded within 48 hours, saying that the bug would be patched in the near future.

Companies are often given a 90-day grace period to issue a fix in situations like this. It's a guideline that Google itself abides by when it finds flaws in others' software, according to CNNMoney.

Zimperium went public with the news because the fix hadn't been made available 109 days later.

This is likely due to the fact that Android isn't a single operating system like Apple's iOS, making it difficult to address problems for the myriad devices using the operating system in one fell swoop. Google also has to deal with third parties such as phone carriers like Verizon, T Mobile and AT&T, as well as hardware manufacturers like Samsung and HTC.



Comment: Stagefright: Everything you need to know about Google's Android megabug
Wait, I thought you said Stagefright is a bug, not bugs?

Okay, okay. So Stagefright is a collection of bugs, if you want to be technical. Seven to be exact. If you want to get real technical, their designations are:
  • CVE-2015-1538,
  • CVE-2015-1539,
  • CVE-2015-3824,
  • CVE-2015-3826,
  • CVE-2015-3827,
  • CVE-2015-3828, and
  • CVE-2015-3829
But for our purposes, I'll just refer to them collectively as Stagefright. A singular bug set; one vulnerability.

Fine, that seems easier. Why should I care about it?

Well, if you're an Android user then your device is probably vulnerable.

Is that bad?

That means an attacker can infect your device simply by sending you a malicious MMS message. (Remember that acronym? Multimedia message service.) In fact, a victim doesn't even have to open a booby-trapped message for the attack to spring. Once the message received, your phone is toast.

Er...that doesn't sound good.

Right. Once inside, an attacker can access your phone's data, photos, camera, microphone. What's worse is that a clever baddie can delete the booby-trapped message from your phone before you even realize that your device has been compromised. So basically, yeah it's bad.

That does sound bad.

Yup. And it gets worse! Imagine this scenario: Someone attacks your phone, steals your contact list, automatically targets those devices—rinse, repeat. Now everyone's infected.

That's what we like to call a computer worm.

How long has this been the case?

About five years.

What?? You mean my phone has been open to attack this whole time???

Yes.

Surely, Google must have patched it by now!

You're right! Google patched the bugs right away. The company learned about one set of vulnerabilities in April and another set in May. The person who discovered the problems—Joshua Drake, a researcher at the mobile security company Zimperium zLabs—says he provided patches, and Google adopted them within two days. (The company reportedly paid him $1,337 for his work.)

Woohoo! So I'm safe?

Nope. The problem isn't fixed.

What? Huh? Why?

That's because Google's Android ecosystem relies on its partnering phone-makers to push out software upgrades. That means Samsung, HTC, LG, Lenovo, Motorola, Sony, among others, are responsible for delivering the patches to customers.

Have they done so yet?

CyanogenMod, Mozilla, and Silent Circle's Blackphone have.

I don't use those...

Then you'll have to wait. The other companies have issued statements that basically say, "We're working on it." You can read them here.

Is there a way to test whether I'm vulnerable?

If you're using a phone that runs on Android version 2.2 or above, you may as well assume you're at risk. The most vulnerable phones predate Jelly Bean (version 4.1), and that accounts for about 11% of Android phones on the market.

(We'll add a link to a test when one comes to our attention but, unfortunately, there's nothing available yet—at least that we know of. Though it would be pretty cool if someone came up with one. Nudge nudge, wink wink.)

Why are post-Ice Cream Android phones better off?

As Google Android's lead security engineer explains here, that's about the time that Google put in place some strong exploit mitigation technologies, like one called Address Space Layout Randomization. "This technology makes it more difficult for an attacker to guess the location of code, which is required for them to build a successful exploit," Adrian Ludwig writes. He goes on: "(For the layperson — ASLR makes writing an exploit like trying to get across a foreign city without access to Google Maps, any previous knowledge of the city, any knowledge of local landmarks, or even the local language. Depending on what city you are in and where you're trying to go, it might be possible but it's certainly much more difficult.)"

You can find a list of similar security technologies implemented since Ice Cream (version 4.0) here.

So I get that I should pressure my phone-maker to push out the fixes. What about my wireless carrier?

Well, if your wireless carrier was real cool, it could create a signature for Stagefright-based attacks, and block those threats on its network. Fiat Chrysler recently worked with Sprint to make its cars much less hackable that way. Your carrier could also help make sure the fix works for older versions of Android, too, rather than just making sure the latest version is protected. The security researcher Nicholas Weaver recently made this point on Twitter.

https://twitter.com/ncweaver/status/626067586568974336

He suggested something similar for Google, too.

https://twitter.com/ncweaver/status/626058358437482496

Can I do anything else to be safer?

First, ask your device manufacturer for an update: When will a patch be available and will you be covered? You might also consider changing the settings on your Android apps that use MMS, like Messaging and Hangouts. Un-click "automatically retrieve MMS messages." In the meantime, consider using Snapchat or WhatsApp to swap clips, GIFs, and whatnot.

Other than that, keep your phone number private, I guess? Drake, the guy who found the flaw, plans to present more details at the Black Hat conference next month.