back to article 'Millions' of Android mobes vulnerable to new Stagefright exploit

A group of Israeli researchers reckon they've cracked the challenge of crafting a reliable exploit for the Stagefright vulnerability that emerged in Android last year. In a paper [PDF] that's a cookbook on how to build the exploit for yourself, they suggest millions of unpatched Android devices are vulnerable to their design, …

  1. Anonymous Coward
    Anonymous Coward

    Pretty easy to get people to visit a 'hacker' website

    Good example was the malware hidden in ads on major sites like cnn.com just in the last couple days. If you have an exploit that requires a user's browser as the attack vector, all you have to do is take over an advertising network - which is apparently pretty easy since their security is shit - and you will have millions of visitors as they hit major sites serving infected ads.

    No need to trick them into visiting www.hack.me or www.a0l.com when you can nab them on sites they'd never think twice about visiting, and that they have bookmarks for.

    Now hackers apparently have been given a cookbook for how to craft the code by these guys, so this Stagefright thing about to get real.

    1. Michael Habel Silver badge

      Re: Pretty easy to get people to visit a 'hacker' website

      And, suddenly I don't feel a bit bad about having rooted my Device, just to have been able to install AdAway onto it.

      1. Adam 1

        Re: Pretty easy to get people to visit a 'hacker' website

        You can also install ublock origin on android Firefox without root.

        1. asdf

          Re: Pretty easy to get people to visit a 'hacker' website

          or install privoxy on your router and get ad blocking on any browser on any unrooted phone or computer.

        2. Halfmad Silver badge

          Re: Pretty easy to get people to visit a 'hacker' website

          Out of lazy interest as I use it on my desktop would I also be able to block elements larger than a specific size on the android version?

          It dramatically speeds up some sites for me.

  2. Anonymous Coward
    Linux

    Millions of unpatched Android mobes vulnerable to Stagefright exploit

    "millions of unpatched Android devices are vulnerable to their design" and patched since October 2015.

    1. asdf

      Re: Millions of unpatched Android mobes vulnerable to Stagefright exploit

      I would actually be surprised if the worldwide percent of all android devices patched even today is double digit.

  3. werdsmith Silver badge

    As long as people keep buying this shit, we won't get choice or better.

    1. asdf

      in their defense.

      Well problems like this get patched very quickly on newish Nexus devices. The Google spying well that is a very basic design feature.

  4. Anonymous Coward
    Anonymous Coward

    The exploit also needs a perform a heap spray to work, and that means the attacker may need to attempt exploitation multiple times on the target.

    Hello advertising malware. Although, I would also consider those insulting Microsoft ads on the BBC malware, but that's more because they seek to associate Microsoft with "security" (which is why they're insulting).

    On the plus side, that at least prompted me to get a UK VPN :).

    1. TheVogon

      "because they seek to associate Microsoft with "security" (which is why they're insulting)"

      FYI - there has been zero malware, and zero critical vulnerabilities across all versions of Windows Phone to date.

      Iphones are nearly as bad as Android too - see http://www.theregister.co.uk/2016/03/16/acedeceiver_ios_malware/

      1. s2bu

        @ TheVogon

        That's called security through obscurity.

        1. asdf

          Re: @ TheVogon

          Well one way to drastically reduce the attack vector is to discourage users from installing software by being unable to find any.

          1. asdf

            Re: @ TheVogon

            meant attack surface or number of attack vectors.

      2. Anonymous Coward
        Anonymous Coward

        FYI - there has been zero malware, and zero critical vulnerabilities across all versions of Windows Phone to date.

        I don't think that the target volume is really there to make finding vulnerabilities a worthwhile exercise - even security professionals don't bother. In addition, there is so little software for it that anything dodgy will stand out, there isn't exactly a crowd to sink into now, it there?

  5. Anonymous Coward
    Anonymous Coward

    Nexus 5 with android 5.01

    Not exactly a common configuration in 2016.

    We also don't know if they were running a custom kernel, as for reasons that made me suspicious , rather than showing the Android build info in system properties, which shows more detail, they opted to show user agent in browser.

    A year after stage fright, all devices in our house have been patched, Samsung's, Sony and Motorola devices, and I have never ever seen or heard of a real exploit anyhwere. Usuasl scare tactics.

  6. Grikath

    Hmmmm...

    User experience: click linkie.. video plays...crash... click linkie again, video crash.. click linkie again..

    That video had better be something people *really* want to see. Most people won't bother after the first crash, most certainly won't after the second crash. The technique may work, but given the delivery method, I doubt that the potential footprint would be "millions".

    1. midcapwarrior

      Re: Hmmmm...

      RIF

      "also important to note that the victim doesn't have to press play on a rigged MPEG4 video file, because the bug is triggered when the web browser simply fetches and parses the file upon first seeing it."

    2. Anonymous Coward
      Anonymous Coward

      Re: Hmmmm...

      >That video had better be something people *really* want to see.

      Grrr why won't my phone play ParisHiltonBareBack.mp4. I'll try a few more times.

  7. Anonymous Coward
    Anonymous Coward

    Cyanogenmod time

    OK, I've had enough.

    Am I right in believing that if I re-flash my Moto X 2014 with Cyanogenmod, I can get the AOSP bug fixes which Motorola seem to take entire epochal time slots to release?

    Any advice? Pitfalls?

    Thanks and appreciated in advance.

    1. BinkyTheMagicPaperclip

      Re: Cyanogenmod time

      Go to xda developers and read the thread for your particular phone, to find a ROM and see if it is both up to date and stable.

      Pros : may get later code, possibly more secure

      Cons : could be less stable, as CM does not necessarily have access to all documentation and resources the manufacturer has. May lack specialist functionality (i.e. my previous phone when moved to CM drops FM Radio, HDMI support, and the camera support is not as good. It was worth it considering the manufacturer ROM stops at ICS, whereas CM is currently up to Lollipop..)

    2. Chronos

      Re: Cyanogenmod time

      Short answer: Yes, you will get the AOSP fixes in the Nexus monthlies fairly quickly.

      Long answer: You will need to be running nightlies for this to happen quickly. There are all sorts of warnings about nightlies not being production ready but, IME, nightlies are about as stable as the old ZTE Blade releases were back in the day. Or build from source, but that's a whole other learning curve, not least of which is where to get the proprietary bits from before you're actually running CM.

      Good choice of handset in the Moto X. The Motos in general seem to become stable fairly quickly, even in comparison to some handsets (Wileyfox, I'm looking at you) that have official CyanogenOS support.

      If you go with CM13, you may come up against an issue installing OpenGapps with the CM13 recovery. The workaround is to use a CM12.1 recovery booted through fastboot to apply Gapps or search for a bundledawk version of the Gapps zip.

    3. gollux

      Re: Cyanogenmod time

      Better to brick it finding Cyanogenmod won't load than to be running a easily compromised device.

      If it bricks, replace it with something supported by Cyanogenmod for that inevitable point in time when the manufacturer quits supplying Android updates.

    4. Planty Bronze badge

      Re: Cyanogenmod time

      you have the bug fixes. Moto push them just fine. I suspect your patches will be on 5.1, but they are still patches that work. Or did you hope patches meant free OS upgrade for an old phone?????

      1. Chronos

        Re: Cyanogenmod time

        Not buying into the constant upgrade cycle and becoming a cash cow for vendors is one of the many reasons some of us run CM. If you don't like that, old son, tough titty. You may believe they have a deity bestowed right to profit but I think they can sod off, frankly.

        The Moto X is a perfectly capable device. The ability to extend internal storage with MM/6.0.1/CM13 using an SD makes it even more viable for long term use.

  8. BinkyTheMagicPaperclip

    Slow clap

    Oh well done chaps, reliably exploiting a months old vulnerability and making it easier for the really bad guys to wreak havoc. I suppose their argument would be that this forces the manufacturers to fix their ROMs, but really, does anyone believe they care?

    It's just going to cause issues that might otherwise have taken longer to arise.

    Not that it matters personally, as Cyanongenmod patched it months ago, of course there's now the new Snapdragon exploits to patch..

    Sooner rather than later there will be a legal requirement to patch years old firmware, or being more realistic about capitalism, there will probably be a remote kill switch to brick non compliant hardware and force the purchase of new shiny hardware with different bugs.

  9. Yugguy

    Joe says sorry

    He didn't realise Androids were vulnerable to old Def Leppard tracks.

  10. ecofeco Silver badge

    Already in the wild

    I've seen this combined with ransom ware.

    It opens the door for the ransom ware attack which itself is disguised as an Android update.

    Nasty stuff.

    1. Anonymous Coward
      Anonymous Coward

      Re: Already in the wild

      Not true. It's a fake OS update that is nothing to do with this. The same sites deliver fake iOS and fake windows updates notices depending on your user agent.

      No vulnerability here,just JavaScript and idiot users, it will try and give you an apk on Android (if you have untrusted sources switched on), or an EXE on windows (that is unsigned).

  11. This post has been deleted by its author

    1. Michael Wojcik Silver badge

      I don't know about the worst, but they're certainly not providing any for my phone (SCH-I927 Captivate Glide, which I bought because it has a physical qwerty keyboard).

      No OTA updates are available either, because I'm on an AT&T-hosted MVNO.

      With a refurbished grey-market phone and an MVNO, though, I wasn't expecting any updates from anyone. On the other hand, the phone was only around $100 and came unlocked and rooted, and I pay less than half of what my wife pays AT&T for a similar level of service (aside from off-network roaming - but my SIM card is replaceable).

      On the whole, I'm willing to forego updates in exchange for a device with the features I want (physical keyboard, SD card slot, removable SIM, removable battery), which I have full control over, at a much lower price and no contract. But then that's why I won't pay a lot of money for a phone in the first place - flagship features be damned.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020