Got an Android phone? SMASH IT with a hammer – and do it NOW Android smartphones can be secretly infected by malware smuggled in via video text messages, allowing criminals to sneak inside as many as 950 million devices. You just need to know a victim's cellphone number to silently inject malicious software in their vulnerable gizmo. Once infected, your mobe's camera and mic can be used …
It's referring to the Multimedia Messaage System (MMS), which uses the Simple Message System (SMS) as a conduit to enable phone users to pass multimedia attachments around. Think of it like a form of e-mail attachment. The text is sent that contains information for the phone to know where to connect to download the actual file.
Where the problem lies is that Android, like many other smartphones, tries to go one step ahead of you so you don't get frustrated in waiting. They pick up the attachment ahead of time after it receives the text, sets it up for you to see, and THAT'S where the exploit lies.
Apology for the use of bad language, nothing, except being cynical, can word this well.
$1000,- for someone detecting a fatal flaw on a billion phones ?, selling phones full with crap apps but no root access to remove the stuff ?... no updates for 2 year old phones in the $500,- range ?...
I hope the lawsuits against Google will make the ones against Big Tobacco look like child play, unless they give us root or updates. It is my phone, not googles so give me root.. like today !
My god what a sad post....
Google dont sale many phones and certainly not a billion of them, manufacturers such as Samsung sale them.
Google have already according to the story provided those patches etc to them as if you don't get it ask your phone maker why not , not Google.
As to root access etc, Google phones ie Nexus phones have root access very easily so you can do what you want with it.
As to 2 year old phone updates, again ask Samsung etc not Google.......
Your post is spot on when it comes to the facts, and mine is indeed incorrect.
But being factual correct was not the point of it. It is just weird that someone starts making a smart phone OS, manages to get 85% global market share because it is good enough and given away for "free", but then nobody is responsible for updates.
The point was also not to to go into "you can install a custom ROM" we all know that, but 95% of the users won't bother, they just sit on an insecure product.
In 2008 the first Android phone was released, we are now 7 years further, google did nothing to solve this, knowing how dangerous it all is from a security point of view to do nothing. When this type of issue surfaces in 2015, google is clearly to blame for its lethargy towards the phone manufacturers in enforcing updates.
I guess the government has to step in to tell this bunch of toddlers that updates are obligatory for at least 3 years, EU warranty period for electronic devices.
For years IT people have been dealing with PC security but at least felt they could take some steps to reduce the risk, filtering at the firewall, chose antivirus and antimalware, install local policies, decide (to some extent) what software was installed.
Then came phones, at first they were simple devices that didn't do too much, now they are multiprocessor, gigs of ram, computers in your pocket, but most that "control" stuff has been stripped away and people even get offended if you dare to infer that facebook, messaging or a million cool apps are anything other than business critical. BOYD has fucked up a lot of business security, seriously someone needs to stand up and properly weigh the value of handing over critical data to companies that are more interested in harvesting your information and contacts than protecting your livelihood.
I don't just mean Google, most of them are at it and the BYOD moniker is just a smoke screen for data rape.
This is why people should opt to buy only pure android phones. I had an HTC once and I hated that I could not get rid of cr*p software without rooting the phone. Since then only Nexus or pure Android phones. If more people do this then the manufacturers will have no option but to give in to demand.
Something else that's probably a one module patch that Android can't do because its update mechanism is shit and requires all of the manufactures and carriers to be complicit in making compete and full updates of everything just to perform this one small change - and most just aren't interested (old model = no profit).
Well all this advice doesn't help ease my mind.
I received a MMS on Saturday. It claimed to be from Vodafone (it had a 4 digit short code) but I deleted it. I remember the 'pay £1.50 to view a video' scams a few years back and though it was one of those.
Have these evil-packed MMS been seen in the wild or are they still in the labs?
Edit: I'd blocked the phone number. It was 9774. Appears to be a number Vodafone use.
Anyone else had marketing MMS from Vodafone recently?
It's quite a complex issue this that I think requires legislation.
If I buy a phone I think it reasonable to get told how long my device is going to be supported and that any issues such as this that arise will be fixed. Therefore I can make an informed choice as to whether I'm going to buy the phone. This is already the case with TV's Washing Machines cars etc... and their warranty. It would be interesting to know whether the software is covered in those warranties as has been stated previously if the device is working within it's parameters then it technically isn't faulty, it may be wide open to abuse but until someone exploits it then there isn't a fault.
Ok, so all the google bloatware shite like Hangouts got disabled about a millisecond after I got the phone.
I'm running Lillipop
How does the worm get into the MMS message? Does it need to be deliberately planted or can it latch on to any pic in your phone?
If deliberate then as I would only open MMS messages from trusted sources I should be ok?
Haven't looked into the details but presumably one would "exploit the exploit" with a specially crafted image containing some code.
If (huge if) this is already in the wild it's not impossible that it sends itself to contact lists etc so "trusted sources" (e.g. family/friends) becomes a meaningless term.
This, and the next gazillion exploits, are the result of this simple recipe:
1) Take a human - any one will do. They all screw up.
2) Take a language. They all have their flaws, but pick one that doesn't seem to give a damn what you do with memory, like C++.
3) Blend and wait.
It's the 21st century now, and, as someone who was coding C++ when there wasn't even a compiler for it I just wonder why it and other languages with similar flaws still being used so much? Sure, there may be a small percentage of situations where the bare-metal speed is worth it, but when you're writing software that will be deployed on a significant proportion of the devices in existence, using languages that make things hard to test and that so brilliantly hide the mistakes of us fallible humans seems positively stupid.
Can we stop now?
(I will not suggest another language. I've learned about 5 in the last year alone and I'm exhausted. Please agree amongst yourselves and I'll learn that one!)
"Sure, there may be a small percentage of situations where the bare-metal speed is worth it, but when you're writing software that will be deployed on a significant proportion of the devices in existence, using languages that make things hard to test and that so brilliantly hide the mistakes of us fallible humans seems positively stupid."
Except that ARM chips aren't exactly the most performance-friendly chips on the market. They're just cheap and easy on the power (a boon when on batteries). But customers STILL expect good performance out of their devices even down the road. Sluggish performance becomes an increasingly common complaint as a phone ages. Even my S4 shows some oddities now and then. And let's not start on the memory limitations and so on. Phones are closer to the embedded world than the PC world in terms of architecture, and embedded developers will tell you a thing or two about delivering performance while under constraints. If you've got a highly-competitive market where the customers demand everything yesterday and doing nothing may not be an option, what do you do?
My arm-powered phone has 4 cores. A single one of them is far faster than it needs to be. The excuse that we need to use a dangerous language in mass market devices doesn't exist anymore.
Most of Android is built in Java,not c++. I'm not advocating that language, but just pointing out that outright bare metal performance is less important than other concerns, e.g. Security.
I would rather trade in 10 or 30 percent in performance if that makes my phone significantly less prone to such exploits.
"Most of Android is built in Java,not c++."
Except performance-intensive stuff IS native-coded. And multimedia stuff tends to fall into that category: especially anything involving video. And even my S4 (also a quad at nearly 2GHz per along with a good mobile GPU chip) has difficulty doing 1080p H.264 video with subtitles (not starting with H.265). A 10% hit can mean the difference between a decent enough playback and one too herky-jerky to be satisfactory. And most consumers think opposite to you. "Screw security; I just wanna get stuff done!" Meaning you're outvoted.
Isn't this video processing? That's not something you'd want to do in anything other than as efficient a way as possible, particularly on a mobile device.
I'm shuddering right now at the thought of a video decoder written in C# with regular pauses in playback when the garbage collector kicks in. Yes, I know that smart coding and a sensible approach from the start can mitigate this but then this is another complication - https://msdn.microsoft.com/en-us/library/ms973837.aspx.
"I'm shuddering right now at the thought of a video decoder written in C# with regular pauses in playback when the garbage collector kicks in."
This is the 21st century and we're talking about mobile devices right? Why don't you just use the hardware-implemented codecs on the hardware (via the SDKs)? I can play real time video on my phone's browser, or from within an app, without having to get my hands dirty writing c++ codecs.
The piece of software relating to this particular security nightmare wasn't even something that would be bothered by GC.
I don't use C# but they've got it right when they named the 'unsafe' declaration. Golang was written because Google realised it was stupid putting C++ in the hands of ordinary people and expect them not to end up with an exploit-ridden rat's nest.
We're not going to fix humans any time soon. So the tools should change. Stuff the bare-metal performance (at least for situations where security is important - i.e. most of the stuff people use from day to day for online banking, shopping, communicating etc.)
"This is the 21st century and we're talking about mobile devices right? Why don't you just use the hardware-implemented codecs on the hardware (via the SDKs)? I can play real time video on my phone's browser, or from within an app, without having to get my hands dirty writing c++ codecs."
Because time marches on. Codecs get improvements and eventually get replaced with entirely new ones. Hardware H.264 can have trouble when handling bleeding-edge video files that push the codec to its limits. And they're absolutely worthless for the new wave of H.265 video.
That's a bug with your phone or the cell tower you are connected to. I'm with AT&T and get MMS messages on my iPhone all the time, never had a problem like that except in a handful of times when I was at a football game or concert where the local cell towers were completely overloaded.
So Google could/should be able to issue a patch for Hangout to stop pre processing videos for now until manufactures pull their fingers out and issue a over the air update for android, an other messaging apps under it control. An other messaging app providers could provide the same fix fairly quickly as well, especially the big guys like Facebook and WhatsApp.
We will see how seriously the messaging apps themselves take this bug.
Eventually people should be able to see that such "flaws" really are undocumented features. The demand by the NSA that encrypted hardware and software without such flaws be illegal should be a hint that at least some flaws have not been accidents.
Unless of course peoples default setting is to believe companies and governments are genuinely honest and do not wish to misinform. In which case they will fix this, our data is safe and what a nice day it is again.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
