back to article Got an Android phone? SMASH IT with a hammer – and do it NOW

Android smartphones can be secretly infected by malware smuggled in via video text messages, allowing criminals to sneak inside as many as 950 million devices. You just need to know a victim's cellphone number to silently inject malicious software in their vulnerable gizmo. Once infected, your mobe's camera and mic can be used …

Page:

  1. ZSn

    Tightwads

    $1,337, what a reward (apart from leet) for a bug that can affect a billion phones. What a bunch of tightwads!

    1. JohnnyGStrings

      Re: Tightwads

      My thoughts exactly - this is such a powerful exploit (not needing any user interaction to infect device) it should have received a larger bug bounty.

    2. Darryl

      Re: Tightwads

      Should've given him 31337?

    3. pixl97

      Re: Tightwads

      So how much would an exploit like this bring on the darknet?

    4. This post has been deleted by a moderator

      1. Anonymous Coward
        Anonymous Coward

        Re: Tightwads

        >> Because it's far harder to exploit and much more contained than this article pretends. It's not a billion phones, like the clickbait headline pretends.

        Thanks for clarifying the exploit potential for us. Sounds like you don't know yourself and are an android apologist

    5. Charlie Clark Silver badge

      Re: Tightwads

      How much, in your opinion, should they have paid? Should we really be encouraging a market for the reporting of bugs?

      It is very important for companies like Google to reward such contributions appropriately. But the incentives need to be correctly aligned.

      1. Pascal Monett Silver badge

        How much ?

        Let me see, a vector that is present on every single Android phone in the market, cannot be stopped and can barely be contained, with the end game being complete control of all data on the phone for a billion potential users ?

        I'd say one million US dollars would not be much compared to the cost of the PR disaster if this weakness had been discovered by malware users and exploited.

        1. Phil O'Sophical Silver badge

          Re: How much ?

          I'd say one million US dollars would not be much compared to the cost of the PR disaster if this weakness had been discovered by malware users and exploited.

          PR disaster to whom? Goggle have a nice fix all ready, the blame for any infections will be firmly placed at the door of Vodafone/EE/SFR/Sprint/etc. who never ship upgrades after the first year or so. Agreed $1337 isn't much, but $1m is way over the top. Maybe $10K and a new Nexus phone?

          1. ZSn

            Re: How much ?

            Looking at the exploit market (there's a nice article on Bruce Schneier's blog today) it would be in the hundred of thousands of dollars at a guess. A exclusive 0-day for the desktop is about $100-$150k. A generic unpatchable flaw for a billion phones - well perhaps $1 million isn't too fanciful after all.

            1. Phil O'Sophical Silver badge

              Re: How much ?

              It's not unpatchable at all, but once the phone companies have made the money out of your contract they haven't the slightest interest in patching it for free when they can get you to "upgrade" instead.

    6. TheVogon

      Re: Tightwads

      Hopefully Microsoft will release a Windows Mobile installer for Android handsets via their work with Cyanogen, then at least there will be a more secure OS update option.

      (From existing dual boot testing on the same hardware, we already know WM is faster and the battery lasts longer too.)

      1. asdf

        Re: Tightwads

        >we already know WM is faster and the battery lasts longer too

        funny how that works when there a few apps for users to leave open to drain the battery.

        1. TheVogon

          Re: Tightwads

          "funny how that works when there a few apps for users to leave open to drain the battery."

          This was the case for both manufacturer testing without any apps running, and third party testing:

          http://bgr.com/2014/08/25/android-vs-windows-phone-htc-one-m8/

    7. Kriilin

      Re: Tightwads

      Sergey probably spent more for lunch..

  2. chasil

    Workarounds

    Article at NPR suggests the immediate removal of Google Hangouts:

    http://www.npr.org/sections/alltechconsidered/2015/07/27/426613020/major-flaw-in-android-phones-would-let-hackers-in-with-just-a-text

    "The messaging app Hangouts instantly processes videos, to keep them ready in the phone's gallery... this setup invites the malware right in. If you're using the phone's default messaging app, he explains, it's "a tiny bit less dangerous." You would have to view the text message before it processes the attachment. But, to be clear, "it does not require in either case for the targeted user to have to play back the media at all," Drake says."

    Anonymous commenter at Slashdot suggests modifying the following entry in /system/build.prop:

    media.stagefright.enable-player=false

    (Root is required to modify build.prop)

    1. Paul Shirley

      Re: Workarounds

      Wiping the MMSC,MMS proxy & MMS port APN fields *might* help, should stop it fetching any MMS body. No guarantees though and I'd bet on there being plenty of other ways to trigger stagefright badness.

      There's simply no excuse for carriers and device manufactures not being able to quickly push a dll update and nailing this. Wont happen without heavy handed regulation - or at least the threat of huge fines.

      1. choleric

        Re: Workarounds

        Alternatively removing all MMS infrastructure from networks globally and running a steamroller over the lot of it would improve security vastly. Who intentionally sends MMS messages these days?

        1. Paul Shirley

          Re: Who intentionally sends MMS messages these days?

          On some networks you can't received MMS without first sending one, a large number of users might quite accidentally be protected because only hackers are likely to voluntarily use MMS today. That's aiming their SMS use didn't trigger conversion of long texts to MMS though.

          1. Roland6 Silver badge

            Re: Who intentionally sends MMS messages these days?

            >On some networks you can't received MMS without first sending one

            But don't applications such as Hangouts, Viber et al allow the sending of MMS messages via a different route ie not through the telco's messaging centre?

            1. tony2heads
              Unhappy

              Re: Who intentionally sends MMS messages these days?

              Right:

              - I have turned off MMS upload (never used the system anyway)

              - I don't use hangouts

              - I never installed Viber.

              - Media playack by VLC

              What else?

              1. Lallabalalla
                Trollface

                Re: Who intentionally sends MMS messages these days?

                What else?

                Buy an iPhone.

                1. Roland6 Silver badge
                  Joke

                  Re: Who intentionally sends MMS messages these days?

                  Re: What else?

                  CEX are reporting good business in old Symbian Nokia's...

              2. Anonymous Coward
                Anonymous Coward

                Re: Who intentionally sends MMS messages these days?

                "What else?"

                Did you RTFA? You still gotta SMASH IT WITH A HAMMER.

              3. Michael Habel Silver badge

                Re: Who intentionally sends MMS messages these days?

                Right:

                - I have turned off MMS upload (never used the system anyway)

                - I don't use hangouts

                - I never installed Viber.

                - Media playack by VLC

                What else?

                Why are you assuming that VLC... Is any safer then say Kodi?! Do you even know what Stagefright does?! Or would you just be assuming that its only something that gets installed along with Kodi?!

                FYI -- Stagefright is the Hardware Acceleration CODECs needed by your Device in order to playback pretty much every Media File you have, and unless I'm missing my guess here... This shall also include such mundane things like *.mp3's.

                So someone shall have to explain this one to my why VLC should be any safer then the next Player?!

                1. tony2heads

                  @Michael Habel

                  With VLC (if I recall correctly) hardware acceleration is optional -but the default is ON.

                  It won't even run hardware acceleration on some devices.

        2. Steve Evans

          Re: Workarounds

          I wonder how hard this would be to block at the MMSC end? Although we all know how much networks like to get off their arse and do something useful... They love acting as dumb pipes, but only when it suits them!

          Oh well, given I haven't received an MMS in over a year, I just mangled the details in the APN... That should keep things safe... At least until an update arrives, which I expect won't be long on my Nexus.

          I fear for the security of OEM devices though.

    2. GerryMC

      Re: Workarounds

      I'm just glad that I tend to disable hideously obtrusive apps like hangouts - I want text messaging, not a social network/video chat/photo app. I like apps that do one thing well, not get in the way with "cute" features.

      1. Mike Echo

        Re: Workarounds

        "hideously obtrusive apps like hangouts"

        One of the biggest incentives for me to root my phone was to take control of the Google bloat that was usually installed by default. Bye bye hangouts and quite a few other apps-that-always-update-but-I-never-ever-use.

    3. chasil

      Re: Workarounds

      Later Slashdot commentary suggests disabling several more stagefright booleans in build.prop; I have only left the recording entry enabled, and even that may be a mistake. I am running Alliance on exynos; stock may have more concerns. I've survived several reboots with stage fright lobotomized.

    4. Michael Habel Silver badge

      Re: Workarounds

      Anonymous commenter at Slashdot suggests modifying the following entry in /system/build.prop:

      media.stagefright.enable-player=false

      (Root is required to modify build.prop)

      Great so I managed to kill off stagefright.... How the Hell do I use my seemingly legit Kodi Install (Google Playstore), to watch stuff on my Phablet now?! Speaking about Kodi I guess it would be an even higher infection vector, in the sense, that its raison d'etre IS to play Movies (i.e. Clips)... Not above the board. (i.e From unknown sources). While there hasn't been much said about it. I don't think this is the first instance of a Video managing to pw0n some System. (Thinking of Windows here),.

      But, Kodi (Formerly known as XBMC), or in some cases SPMC. Damned well nearly relay on stagefright to work. Assuming you wanted your Movies to actually work.

      1. Uncle Slacky Silver badge
        Linux

        Re: Workarounds

        Why not just use VLC instead of Kodi?

        1. Michael Habel Silver badge

          Re: Workarounds

          'Cause VLC would as likely as not also rely on the Stagefright CODECs to Videos to actually work.... Since its actually part of the Android -- Linux System, and would NOT otherwise be included with Kodi, or VLC... It's hardly like we could expect them to fix it for us. I'd imagine a Patch in-and-of-itself wouldn't take the World to fix.... But, getting that Patch out to everyone who'd needs it, is. Google need to have a re-think about how to bypass the OEM's to allow those who need to get Security Patches, to then actually get them... FAST!

          Then again... With no credible third Mobile OS out there, they still have time.... I suppose. And NO WinPho... Is in my book anything BUT, credible.... As bad as Android might be.... I'd still would have it over WinPho every time. This just makes me wish that the Ubuntu Phone was a bit closer to reality now though.

    5. Roland6 Silver badge

      Re: Workarounds

      That workaround might block one attack vector, but note the vulnerability is in Stagefright - Android's media playback engine. Hence I wonder whether the attack merely needs to get the user to run a suitability crafted video using a viewer that uses Stagefright. The use of MMS is obviously concerning because of the various under the hood (ie. not visible to user and out of user's control) actions that can be automatically triggered via MMS.

    6. BillG
      Stop

      Re: Workarounds

      Anonymous commenter at Slashdot suggests modifying the following entry in /system/build.prop:

      media.stagefright.enable-player=false

      (Root is required to modify build.prop)

      Do NOT do this until further research is done. Users on XDA are reporting that disabling Stagefright in this way can result in an unrecoverable boot loop.

      1. chasil

        Re: Workarounds

        media.stagefright.enable-player=false

        Do NOT do this until further research is done. Users on XDA are reporting that disabling Stagefright in this way can result in an unrecoverable boot loop.

        Can you post a link to this discussion? I have already disabled several stagefright booleans in my build.prop and rebooted without issue.

      2. chasil

        Re: Workarounds

        I have found these two references on boot-loop problems disabling the stagefright booleans in build.prop:

        http://forum.xda-developers.com/showpost.php?p=62069940&postcount=8

        http://forum.xda-developers.com/showpost.php?p=62073754&postcount=18

        The user in the final post did not preserve ownership/permissions on the build.prop file. His boot-loop had nothing directly to do with disabling stagefright.

        I used the busybox vi editor with an external keyboard to change my build.prop, obviating this issue.

        I have seen no clear evidence that disabling stagefright will harm the Android OS if done correctly and with care (YMMV).

    7. chasil

      Re: Workarounds

      Here are additional resources:

      http://fkwon.blogspot.com/2011/05/android-toggle-stagefright.html

      ---

      https://github.com/CyanogenMod/android_frameworks_av/commit/57db9b42418b434751f609ac7e5539367e9f01a6

      "from (previous) git entry I would suspect meta data parsing errors.

      so in /system/boot.prop (root required)

      [code]

      media.stagefright.enable-meta=false

      media.stagefright.enable-scan=false

      [/code]

      However, one cannot be sure about this."

  3. cashxx

    But its open source

    But its open source, its all FUD! Open as it wide!

    1. Destroy All Monsters Silver badge

      Re: But its open source

      It is?

    2. Daggerchild Silver badge

      Re: But its open source

      As it wide indeed! Looked for, found and then patched, by an *independant* party? Meanwhile a weaponised Windows font hole had to be actively pried from the hands of the only willing bughunters proprietary code ever has: Hackers.

      1. Anonymous Coward
        Anonymous Coward

        Re: But its open source

        Patched where? On Google code repository only? Until patches reach the devices, they're not patched at all. Google is responsible for a system that can't be patched by end users.

    3. Your alien overlord - fear me

      Re: But its open source

      Wrong fanboi, Google's own apps are closed source, such as Google+ but any competent programmer can reverse engineer it. AOSP is the open source version of Android and it doesn't come with any Google bloatware.

      1. Pascal Monett Silver badge

        Re: any competent programmer

        That's about as useful as saying that gangrene can be taken care of by any competent surgeon.

        Sure it can. You know how many competent surgeons, exactly ?

        The scale of this issue is such that EVERYONE needs a solution, not just the competent programmers.

        If solutions were only made for competent programmers, the IT industry would have been dead in the water 20 years ago.

  4. Destroy All Monsters Silver badge
    Paris Hilton

    Dafug?

    I have the weird feeling the bugsies are getting better every week...

    1. Khaptain Silver badge

      Re: Dafug?

      The hackers have the advantage of time... Anyone that new +ORCs tutorials would have known his Martina-Wodka, one of his essential cracking tools...

  5. Anonymous Coward
    Anonymous Coward

    What if a blocker removes any MMS outright?

    Will that still trigger the bug?

    1. Eddy Ito

      Re: What if a blocker removes any MMS outright?

      Since stagefright seems to be what android uses for hardware accelerated decoding I would imagine that the attack vector isn't that important. MMS is what makes it automatic since it appears to bypass any user interaction but I expect an attack could be done with email or facebook and most security unconscious folks would be happy to "Watch this video, it's sooo funny, LOL" if sent from someone they befriendified (if that's a word) online.

    2. Anonymous Coward
      Anonymous Coward

      Re: What if a blocker removes any MMS outright?

      I wouldn't depend on that. You'd be relying on the blocker removing the MMS before StageFright processes it which isn't going to be guaranteed.

  6. Nate Amsden

    filter at the telco level?

    I would think it is technically possible to inspect and filter at the carrier level for this kind of thing, since this is processed through their systems(and not some random web page or email or something).

    Maybe they don't have this capability, if not not a bad ability to have.

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021