Android smartphones can be secretly infected by malware smuggled in via video text messages, allowing criminals to sneak inside as many as 950 million devices. You just need to know a victim's cellphone number to silently inject malicious software in their vulnerable gizmo. Once infected, your mobe's camera and mic can be used …

COMMENTS

Post your comment

House rules Send corrections

Add to 'My topics'

Page:

1. 1. 1. Monday 27th July 2015 23:14 GMT Malcolm Weir
      
      Re: filter at the telco level?
      
      Nonsense.
      
      In the UK, telco's filter over-the-air content all the time (and are in fact required to do so). You can request that they turn the filter off, but you have no legal comeback if they filter something you want.
      
      It's just false to assert that an ISP would somehow become liable for anything if they blocked malicious MMS traffic. Particularly since this is exactly analogous to efforts to block what used to be called "phone phreaking": techniques to misuse telco systems to achieve nefarious ends.
      
      4 0 Reply
2. Monday 27th July 2015 22:47 GMT Adam 1
  
  Re: filter at the telco level?
  
  OK, assuming some sort of signature based pattern can identify the infected video, why involve the telco at all? That would mean that the hangouts app itself could perform the scan before sending it off for preview. This is important, because hangouts can be pushed through Google play as an update.
  
  Although it wouldn't eliminate the attack vector (too much insufficient storage-esq errors on old devices), the attack surface would easily and quickly halve.
  
  OK Google, you've got 90 days.
  
  3 1 Reply
3. Thursday 30th July 2015 10:47 GMT jporcina
  
  Re: filter at the telco level?
  
  The MMSC of any mobile network usually incudes a virus scanner for the attached media.
  
  Unless the Mobile Operator has negelected this feature the MMS service will prevent the spread of any such "Stagefright" exploits.
  
  Note: This came to light from a research lab not from real-world evidence of exploits. Remember the Apple icloud hack?
  
  0 0 Reply
Monday 27th July 2015 20:12 GMT JakeMS

Damn!

Damn! See this is why the very idea of locked down/DRMed devices is bad[1][2].

When something critical like this happens many users cannot simply apply a patch to fix it, they are stuck with a device that is exposed and the only way to resolve it is to hope the manufacture releases a patch.

Sure, you could install a custom rom to fix this, but this may not always be available for all android phones, for example, my android phone does not have this option.

Thus, I now need to buy a new phone[3][4] :-/

[1] I know android its self is indeed open source, but many (most?) mobile phone manufactures put various locks in place to prevent easy user modifying of the installed firmware.

[2] I am an open source, anti-drm supporting nut job.

[3] Typical, I just got my phone set up the way I like it.

[4] More money spent.. so much for saving up for that 1967 Shelby Fastback Mustang..

14 2 Reply
Monday 27th July 2015 20:16 GMT goldcd

Meep.

I'm a great big fat android fanboy - but I'm this is why Android is bad.

Apple (for better or worse) to seem to support their hardware: https://en.wikipedia.org/wiki/List_of_iOS_devices#Highest_version_of_iOS_supported

Or at least if you're a 4S or beyond owner, they seem to have you covered.

With them you're getting updates for a 4 year old device, but in world of premium android you seem to get a "gentleman's agreement" on 2 years, and then you're on your own.

Still, not quite as bad as it seems for Android - Google with "play services" seem to have been incrementally pulling more updates under their control, but it's still a bit half-arsed.

Bit that always bemuses me though, is why they don't just embrace the Windows PC model (or probably more accurately the Windows PC laptop model) - with a Linux twist.

There's less variance in phone hardware than there is on your average PC - buggered if I can't think of a reason you can't roll a "Google Play Installer" that checks components, and installs the relevant drivers.

Has anybody actually bought an Android phone, due to the OS modifications in the last few years?

7 3 Reply
1. Monday 27th July 2015 20:21 GMT Anonymous Coward
  
  Re: Meep.
  
  "Bit that always bemuses me though, is why they don't just embrace the Windows PC model (or probably more accurately the Windows PC laptop model) - with a Linux twist."
  
  It's the chipset manufacturers that are blocking that plan. Many of them design SoCs and specialized chips as highly-competitive black boxes (because they don't want to Give Information to the Enemy). Unlike in the PC world where most stuff was based on discrete standards, a lot of ARM-based hardware relies on proprietary arrangements covered in trade secrets and NDAs. Some manufacturers are more forthcoming, others aren't (some like Allwinner even violate the GPL it seems but don't care because they have connections).
  
  7 0 Reply
  1. Monday 27th July 2015 21:27 GMT Daggerchild
    
    Re: Meep.
    
    (because they don't want to Give Information to the Enemy)
    or let the enemy know they have some of their tech behind this veil, maybe, nobody's sure where tech ends and lawyers begin anymore these days.
    
    2 0 Reply
2. Monday 27th July 2015 20:25 GMT David Webb
  
  Re: Meep.
  
  Or you root it and stick on a custom rom and update it until you find the phone isn't powerful enough for your needs, I think that is the main beauty of Android, you have options. With Apple you're stuck, once they stop bringing out new updates for it, you're stuck with whatever version they decide you should have, so upgrade your phone.
  
  Naturally I'm with Windows Phone, security by obscurity, best method, honest guv'nor.
  
  9 4 Reply
  1. Monday 27th July 2015 20:37 GMT Dan 55
    
    Re: Meep.
    
    Although you do need someone technically competent or a technically competent team compiling the custom ROM for your phone, not a primadonna compiling an unofficial version of CM which lasts about an hour between reboots and ignoring all the bug reports. Not the best criteria for buying expensive hardware.
    
    0 0 Reply
  2. Tuesday 28th July 2015 16:32 GMT TheVogon
    
    Re: Meep.
    
    "Naturally I'm with Windows Phone, security by obscurity"
    
    Security by lowest vulnerability count too versus Blackberry, Android or IOS.
    
    2 2 Reply
3. Tuesday 28th July 2015 08:27 GMT Charlie Clark
  
  Re: Meep.
  
  With them you're getting updates for a 4 year old device, but in world of premium android you seem to get a "gentleman's agreement" on 2 years, and then you're on your own.
  
  That's the legal requirement in the EU. Some of this stuff simply needs challenging in the courts.
  
  Things are often complicated by carriers running their own shit on top of the manufacturers' shit making which makes development and test take a lot longer. But some court rulings could really help in establishing the various degrees of liability.
  
  Apple's support is great as far as it goes. Anecdotally, however, I've been told that after about 3 years performance on the latest IOS seems to be so poor that new hardware is best solution. And app devs on IOS seem to march in lockstep with the IOS versions, meaning that OS upgrades are often required if you want to use the latest version of an app.
  
  There's less variance in phone hardware than there is on your average PC
  
  That simply isn't true. The lack of an ISA (industry standard architecture) has led to a raft of proprietary SoC's that all do things differently.
  
  2 0 Reply
Monday 27th July 2015 20:17 GMT Anonymous Coward

Something of a delicate situation here. It's hard to force a manufacturer to support something that's about two generations old. The only reason vehicles have stricter standards is because lives are on the line (a defect that causes a fatal accident = wrongful death suits). Worse comes to worse, they could just drop out and leave everyone hanging. Then there are the carriers who insist on their customization or the phones don't get sold in their stores, period. No phone apart from iPhones has enough direct consumer draw to dictate terms to carriers.

0 0 Reply
1. Monday 27th July 2015 20:37 GMT Vector
  
  I wondering what legal remedies might be available. Since you bought the phone with a tacit understanding that it would be functional for some period of time, and this vulnerability could compromise your financial information, if nothing else (certainly your personal information), failure to correct it might leave manufacturers/carriers liable. But, of course, IANAL. Any IAAL's want to chime in?
  
  0 0 Reply
  1. Monday 27th July 2015 23:00 GMT Malcolm Weir
    
    Legal remedies available: none.
    
    The thing you bought is as functional now as it was when you bought it
    
    Then, as now, it was vulnerable to some number of attacks, and if those attacks compromise your financial information, then that is a criminal act on the part of the attacker. Your agreement/contract/tacit understanding with the vendor in no way includes liability on the vendor for criminal acts of third parties.
    
    Your theory is as daft as asserting that the people who made your wallet are liable if you get mugged and the mugger steals the cash out of it.
    
    3 4 Reply
    1. Monday 27th July 2015 23:53 GMT John Brown (no body)
      
      "Then, as now, it was vulnerable to some number of attacks, and if those attacks compromise your financial information, then that is a criminal act on the part of the attacker. Your agreement/contract/tacit understanding with the vendor in no way includes liability on the vendor for criminal acts of third parties."
      
      On the other hand, it might be argued that it is a fault which was in place at the time of manufacture or purchase.
      
      6 0 Reply
      1. Tuesday 28th July 2015 07:41 GMT Malcolm Weir
        
        OK, let's argue that. If the vendor had no knowledge of the defect at the time, how do you draw a line between "bugs" and "features"? Remember, while we're talking about something that I suspect most people would agree is a bug, how do you draw a bright line between defects that require fixing, and defects that are of the "it just doesn't work the way I think it should" variety? Some may be easy to categorize, but others...?
        
        And what constitutes an acceptable fix? Could a vendor (e.g.) provide a patch that simply turned off this Stagefright feature? Because it could be argued that nowhere did they explicitly state the expected behavior; rather "you" assumed that it should behave in a given way.
        
        It's tempting to want consequential liability and warranted functionality, but to be honest we've (all) been buying software for decades without it, so you'd have a really tough time trying to insist on it now on a commodity item like a phone.
        
        1 1 Reply
    2. Tuesday 28th July 2015 01:01 GMT P. Lee
      
      >Your theory is as daft as asserting that the people who made your wallet are liable if you get mugged and the mugger steals the cash out of it.
      
      Not really.
      
      There is an inherent defect in the product. I don't think anyone would suggest that the bug is included under the banner of "works as expected."
      
      The main issue is the complicity in customers accepting two years as an acceptable life span. I'd be pretty upset if HP gave me a two year life for a laptop, server or switch and expected me to buy new hardware because they couldn't be bothered to work with MS and the Linux chaps to make sure their kit kept working. Apple's billions seem to be leading the phone industry into an entitlement to profits mentality.
      
      Is it time to pull the plug on proprietary phones? I know everyone wants to be Apple-successful, but most companies are not Apple, probably couldn't be Apple even if given the chance, and their customers are reasonably ok with that. We need a base-Android OS on top of which applications are added. The whole point software layering is so we don't have to worry about the lower layers. We don't seem to have that any more with everyone (Apple, Google, MS, Samsung) wanting to own the entire stack - the OS and all the apps.
      
      Perhaps Google need to man-up and provide leadership. They need to tell licensees to get their act together and support customised versions of Android for longer or stop shipping them. They should ship stock Android and add custom applications on top.
      
      9 0 Reply
      1. Tuesday 28th July 2015 07:55 GMT Malcolm Weir
        
        Look, you want a service contract, go buy a service contract. Otherwise, how on earth can you demand that a product you bought yesterday be guaranteed to be upgradeable to a product released tomorrow? It's just preposterous.
        
        And your example is simply inaccurate. The hardware (from HP or otherwise) doesn't stop working the way it always has, it just becomes vulnerable to recently discovered issues. After a 1 year warranty (or whatever), why should you get free updates simply because you want them? Sure, many companies do provide them, for whatever reason, but the issue is whether you have a right to such updates for no other reason than your opinion that the thing you bought should have a lifetime of whatever you think it should be!
        
        And the example cited here of Apple being good at this is simply laughable: Apple patches things when they want to, and they have a long track record of being slow to roll patches out. They were also very late to OTA updates, and so on. I have a pal who is still chugging along on his old PowerPC Mac running the software it ran back in 2004. From his standpoint, until it dies, it does exactly the same job it did when he bought it, and any change would cost him time and money, and the fact that you or I might have a reason to change doesn't mean that he would agree with either of us!
        
        0 0 Reply
        
        Tuesday 28th July 2015 15:22 GMT Triggerfish
        
        Look, you want a service contract, go buy a service contract. Otherwise, how on earth can you demand that a product you bought yesterday be guaranteed to be upgradeable to a product released tomorrow? It's just preposterous.
        
        Hows this different from recalling a car that has software vulns then?
        
        1 0 Reply
2. Monday 27th July 2015 20:38 GMT Paul Crawford
  
  Carriers monkey with the OS/apps, then the carriers should fix them. It is high time that the law treats this sort of thing as a fault to be fixed for, say, 5 years after last sale. For everyone, so no supplier can wriggle out and not have to pony up to fix the damn software.
  
  5 0 Reply
  1. Monday 27th July 2015 23:04 GMT Malcolm Weir
    
    Five years? Why not fifty? Or a hundred?
    
    Seriously.
    
    What you're actually asking for is something like a service contract where, as long as pay the premiums, they undertake to fix any flaws. But I'll bet the take-up ratio of that sort of model would be very low, because the consumer wants a cheap gadget, and the fact that you want the vendors to be liable for some indeterminate amount of work for however long you want them to be liable will have a predictable effect on the price (hint: upwards). So does the average punter want to pay for what you want them to have, or what they are OK with getting?
    
    1 0 Reply
  2. Monday 27th July 2015 23:14 GMT Anonymous Coward
    
    Five years' support?
    
    No problem, that'll be $3,000.... or $100/mo on a 5-year contract.
    
    1 0 Reply
  3. Tuesday 28th July 2015 08:44 GMT Charlie Clark
    
    Carriers monkey with the OS/apps, then the carriers should fix them. It is high time that the law treats this sort of thing as a fault to be fixed for, say, 5 years after last sale. For everyone, so no supplier can wriggle out and not have to pony up to fix the damn software.
    
    Five years is excessive. I'm not sure if the length of the warranty is really the problem. As you point out there are a lot of parties involved in any rollout. The law should be used to streamline the distribution of security patches. The threat of legal action backed up with stiff penalties can work wonders.
    
    This might be good in getting the carriers out of the mix, to which they add so little. Manufacturers might also be forced to pool resources for development or otherwise face a levy to a statutory body.
    
    Some thought would be need to given to older hardware which is no longer able to support the latest version of an OS. Backporting will only work so for so long. Might have to introduce official restrictions on older hardware. It's not really that different to phasing out things like analogue mobile phones. Carriers should be able to enforce this.
    
    Just some ideas.
    
    0 0 Reply
    1. Tuesday 28th July 2015 13:18 GMT Charles 9
      
      "Some thought would be need to given to older hardware which is no longer able to support the latest version of an OS. Backporting will only work so for so long. Might have to introduce official restrictions on older hardware."
      
      And then you'll be playing right into the paranoid's hand since they figure old hardware is the only way to prevent Big Brother from watching you.
      
      0 0 Reply
    2. Wednesday 29th July 2015 17:13 GMT John Brown (no body)
      
      "Five years is excessive."
      
      Really? I don't think it's excessive. All items bought in the EU are covered by a default two year warranty buut consumer law includes free parts and labour repairs (or is it just free parts?) for, in some cases, many years after that warranty expires. I think the term they use is "reasonable life" or something similar. The Uk Govt. has a website somewhere with a non-exhaustive list of examples, eg a TV or a fridge should offer at least five years of life, the manufacturer being responsible for repairs or a pro-rata refund if it's not repairable.
      
      I'd certainly expect a phone to still be usable after five years without it being "unsafe" to use and for for fixes to the OS to be available.
      
      0 0 Reply
3. Tuesday 28th July 2015 03:07 GMT Orv
  
  Don't kid yourself -- the only reason vehicles have stricter standards is they're REQUIRED BY LAW to have stricter standards. Car companies would rather take the risk of lawsuits; they only do recalls on older models when forced to by the government. But things like mandatory recalls and lemon laws exist mostly because a car represents a significant investment in a way a phone doesn't, and so people pushed for those protections. Phones are considered disposable. Some, like Samsung's Galaxy offerings, arrive with so much crapware that after a couple years they can't even install app updates anymore.
  
  0 0 Reply
4. Tuesday 28th July 2015 20:03 GMT Anonymous Coward
  
  All it takes is one liability judgement that "because hacking" phone failed and severe bodily injury or loss of life resulted. I wonder if anyone is nosing around for a test case? Or more accurately, circling given that this involves lawyers.
  
  0 0 Reply
Monday 27th July 2015 20:36 GMT Paul Crawford

First Android worm?

Of course it could send itself to everyone in your contacts list, and to everyone they know...

Nice. Maybe Google and the phone makers should face a class-action suite if they don't fix it? MS must be laughing at the same sort of mistakes being made a decade later.

2 0 Reply
1. Monday 27th July 2015 20:45 GMT Daggerchild
  
  Re: First Android worm?
  
  Hrm. You might be able to distribute a patch like that :)
  
  Annoyingly, it's probably the *only* way most would ever get fixed.
  
  3 0 Reply
2. Tuesday 28th July 2015 12:10 GMT Justicesays
  
  Re: First Android worm?
  
  After a few iterations all the phone networks in the world would be overwhelmed with SMS, permanently, just have to make sure you *don't* check if the phone is already infected before sending out the new SMS's!
  
  0 0 Reply
Monday 27th July 2015 20:43 GMT Kevin McMurtrie

Service pack

As much as I distrust Microsoft, having them help fund Cyanogen is probably the best way to wrestle OS control away from carriers that have no intention of updating phones. Cyanogenmod is lacking stability and usability in many ways, but at least it's always making progress.

1 0 Reply
1. Tuesday 28th July 2015 03:49 GMT chasil
  
  Re: Service pack
  
  Let me rephraise that.
  
  Microsoft, PLEASE SAVE US FROM GOOGLE! Those people have no idea what they are doing, and we are tired of reinventing the Windows-95 era update.
  
  PLEASE PLEASE PLEASE fork Android into something that can be patched! We will be yours forever, and rue the day we cast aspiring glances elsewhere.
  
  Google, I do hope that you are listening. What comes next for you is neither what you expect nor want.
  
  It is, however, what you deserve.
  
  7 0 Reply
2. Tuesday 28th July 2015 07:28 GMT David 138
  
  Re: Service pack
  
  Half the time is abandoned by the manufacturer. I don't think anyone should buy a phone that isn't a Nexus variant if you want a good experience with android. Cyanogen and all that bollocks can sod off as well, half the time they seem like they are about to fragment. Its a die hard few, or people with abandoned phones that turn to it.
  
  0 3 Reply
Monday 27th July 2015 20:44 GMT Paul

can you not simply disable the MMS service centre in the APN settings?

who cares about MMS anyway?

3 1 Reply
1. Monday 27th July 2015 21:24 GMT Anonymous Coward
  
  I changed the APN settings for the time being:
  
  - Suffixed a ".not" top level domain to the MMSC parameter to make it unresolvable;
  
  - Prefixed "1" to the MMS Proxy Port number to send it into oblivion.
  
  This is easy enough to undo once the coast is clear again.
  
  4 0 Reply
  1. Tuesday 28th July 2015 06:15 GMT Anonymous Coward
    
    yeah but...
    
    How many average Android users would know how to do that?
    
    so they carry on as before using their device blissfully ignorant of the disaster about to happen when they open a vid sent from a friend.
    
    As has been said, this is the problem with Android. Makers stop updating devices as soon as they can get away with it. My old HTC device got ONE update. That was it. All support was pulled 6 months after first sale.
    
    That was one of the reasons I ditched smartphones alltogether and went back to a dumb Nokia.
    
    1 1 Reply
2. Monday 27th July 2015 21:43 GMT Tabor
  
  "who cares about mms anyway ?"
  
  I do. I don't use it that often, but if needed I do. Your comment is basically the same as an iPhone user saying "So what ? Just hold it differently".
  
  3 1 Reply
Monday 27th July 2015 20:59 GMT Nanners

Panic! Here comes karma bitches ...

seems I remember an article a few weeks back about an apple text exploit that all the android guys were just gushing over? Yeah....

11 2 Reply
Monday 27th July 2015 23:52 GMT azaks

Vulnerabilities in Android?

who could have guessed?

This plus the pile of Chrome exploits reported externally to google a few days ago. Maybe Project Zero should spend more time looking at their own mess rather than everyone elses...

4 1 Reply
Tuesday 28th July 2015 00:04 GMT Destroy All Monsters

Day of the Living Deadroids?

So we have some headlining with 10⁹ phones, revised to 0.95 x 10⁹. Is this indeed the number of devices corresponding to "any phones running Android older than 4.1"? If so, how many of those are still in active use and how many are ~~toxic waste~~valued recyclable material?

0 0 Reply
Tuesday 28th July 2015 02:00 GMT Not_The_Droids

Some may have been patched...

I'm on Cyanogenmod 12.1 Nightlies on my Oneplus, and it was "supposedly" patched some time last week or so. I have been updating on Fridays. Also by running TK Gapps, I can minimize the Google bloatware to just what I want installed - no Hangouts, no Books, Movies, blah blah blah. See https://plus.google.com/+CyanogenMod/posts

0 0 Reply
Tuesday 28th July 2015 03:50 GMT Anonymous Coward

there are alternatives

WM launches this fall. The 950 and 950XL sound great, think I'll go with one of those over a POS on Android.

3 4 Reply
1. Tuesday 28th July 2015 13:16 GMT Daggerchild
  
  Re: there are alternatives
  
  Friend bought an early Lumia. You could lock it up with an MMS. Good luck!
  
  0 0 Reply
Tuesday 28th July 2015 04:11 GMT Anonymous Coward

How long before the first malware that infects a billion people?

Maybe it doesn't happen this time, depends on how easy this bug is to find. At any rate there are surely plenty of other bugs lurking in Android that can be remotely triggered in a similar manner. Find one and have it text a random assortment of the infected phone's contacts, and it would spread across the world in a matter of hours. What is done with a billion phone botnet, who knows, but it probably won't be good.

You don't even need Android's famously crappy updating for this. It would spread so fast that if you found a zero day that infected iOS 7 & 8 in a similar manner you'd own 95% of all iPhones in the world even if Apple turned around a patch in 24 hours.

Someday we're going to wake up and know what the Morris Worm would have been like if it had infected five orders of magnitude more devices.

Microsoft ought to immediately start a black project researching for bugs like this in both Android and iOS. Brick a billion phones and a lot of people won't buy the same kind they had before - this may be Microsoft's only hope to get any market share in the mobile market :)

5 0 Reply
Tuesday 28th July 2015 04:12 GMT Syntax Error

Android platform is useless for security. NSA and GCHQ must be laughing. We must remember that Google is only an advertising company.

6 1 Reply
Tuesday 28th July 2015 04:34 GMT Christian Berger

Mobile operating systems simply are _far_ to complex

What we need is a simple system without the attack surface of some hugely overcomplex pseudo object orientated system. Essentially something close to what the "suckless" people make, a simple way to switch between virtual framebuffer terminals. A system designed not by some clueless user experience designer, but by someone who actually uses it.

There are billions of mobile phones out there, surely there's a market for phones which don't cater to the lowest intellectual denominator. Let's build mobile devices for people who don't need an app to tell them when to drink.

1 0 Reply
1. Tuesday 28th July 2015 13:16 GMT Anonymous Coward
  
  Re: Mobile operating systems simply are _far_ to complex
  
  "a simple system without the attack surface of some hugely overcomplex pseudo object orientated system. "
  
  Whatever did happen to Symbian?
  
  2 0 Reply
Tuesday 28th July 2015 04:42 GMT Anonymous Coward

crappy title

MMS not TXT.

1 0 Reply
1. Tuesday 28th July 2015 17:13 GMT Anonymous Coward
  
  Re: crappy title
  
  Meanwhile the title has changed, and a hammer was added.
  
  0 0 Reply
Tuesday 28th July 2015 06:09 GMT Anonymous Coward

Dammit

Guess the folks that own older (ie non updateable) 'Droid phones are SOL then.

It does raise a point though, if a serious vuln is found for an older device which a lot of people still use because it has superior functionality to say a Crackberry then should the manufacturers be required to provide a fix?

I recall reading that some older Iphones can still be sent back to Apple for a battery replacement, maybe its time to have a similar system for software vulns?

0 0 Reply