back to article Got an Android phone? SMASH IT with a hammer – and do it NOW

Android smartphones can be secretly infected by malware smuggled in via video text messages, allowing criminals to sneak inside as many as 950 million devices. You just need to know a victim's cellphone number to silently inject malicious software in their vulnerable gizmo. Once infected, your mobe's camera and mic can be used …

  1. ZSn

    Tightwads

    $1,337, what a reward (apart from leet) for a bug that can affect a billion phones. What a bunch of tightwads!

    1. JohnnyGStrings

      Re: Tightwads

      My thoughts exactly - this is such a powerful exploit (not needing any user interaction to infect device) it should have received a larger bug bounty.

    2. Darryl

      Re: Tightwads

      Should've given him 31337?

    3. pixl97

      Re: Tightwads

      So how much would an exploit like this bring on the darknet?

    4. Charlie Clark Silver badge

      Re: Tightwads

      How much, in your opinion, should they have paid? Should we really be encouraging a market for the reporting of bugs?

      It is very important for companies like Google to reward such contributions appropriately. But the incentives need to be correctly aligned.

      1. Pascal Monett Silver badge

        How much ?

        Let me see, a vector that is present on every single Android phone in the market, cannot be stopped and can barely be contained, with the end game being complete control of all data on the phone for a billion potential users ?

        I'd say one million US dollars would not be much compared to the cost of the PR disaster if this weakness had been discovered by malware users and exploited.

        1. Phil O'Sophical Silver badge

          Re: How much ?

          I'd say one million US dollars would not be much compared to the cost of the PR disaster if this weakness had been discovered by malware users and exploited.

          PR disaster to whom? Goggle have a nice fix all ready, the blame for any infections will be firmly placed at the door of Vodafone/EE/SFR/Sprint/etc. who never ship upgrades after the first year or so. Agreed $1337 isn't much, but $1m is way over the top. Maybe $10K and a new Nexus phone?

          1. ZSn

            Re: How much ?

            Looking at the exploit market (there's a nice article on Bruce Schneier's blog today) it would be in the hundred of thousands of dollars at a guess. A exclusive 0-day for the desktop is about $100-$150k. A generic unpatchable flaw for a billion phones - well perhaps $1 million isn't too fanciful after all.

            1. Phil O'Sophical Silver badge

              Re: How much ?

              It's not unpatchable at all, but once the phone companies have made the money out of your contract they haven't the slightest interest in patching it for free when they can get you to "upgrade" instead.

    5. TheVogon

      Re: Tightwads

      Hopefully Microsoft will release a Windows Mobile installer for Android handsets via their work with Cyanogen, then at least there will be a more secure OS update option.

      (From existing dual boot testing on the same hardware, we already know WM is faster and the battery lasts longer too.)

      1. asdf

        Re: Tightwads

        >we already know WM is faster and the battery lasts longer too

        funny how that works when there a few apps for users to leave open to drain the battery.

        1. TheVogon

          Re: Tightwads

          "funny how that works when there a few apps for users to leave open to drain the battery."

          This was the case for both manufacturer testing without any apps running, and third party testing:

          http://bgr.com/2014/08/25/android-vs-windows-phone-htc-one-m8/

    6. Kriilin

      Re: Tightwads

      Sergey probably spent more for lunch..

  2. chasil

    Workarounds

    Article at NPR suggests the immediate removal of Google Hangouts:

    http://www.npr.org/sections/alltechconsidered/2015/07/27/426613020/major-flaw-in-android-phones-would-let-hackers-in-with-just-a-text

    "The messaging app Hangouts instantly processes videos, to keep them ready in the phone's gallery... this setup invites the malware right in. If you're using the phone's default messaging app, he explains, it's "a tiny bit less dangerous." You would have to view the text message before it processes the attachment. But, to be clear, "it does not require in either case for the targeted user to have to play back the media at all," Drake says."

    Anonymous commenter at Slashdot suggests modifying the following entry in /system/build.prop:

    media.stagefright.enable-player=false

    (Root is required to modify build.prop)

    1. Paul Shirley

      Re: Workarounds

      Wiping the MMSC,MMS proxy & MMS port APN fields *might* help, should stop it fetching any MMS body. No guarantees though and I'd bet on there being plenty of other ways to trigger stagefright badness.

      There's simply no excuse for carriers and device manufactures not being able to quickly push a dll update and nailing this. Wont happen without heavy handed regulation - or at least the threat of huge fines.

      1. choleric

        Re: Workarounds

        Alternatively removing all MMS infrastructure from networks globally and running a steamroller over the lot of it would improve security vastly. Who intentionally sends MMS messages these days?

        1. Paul Shirley

          Re: Who intentionally sends MMS messages these days?

          On some networks you can't received MMS without first sending one, a large number of users might quite accidentally be protected because only hackers are likely to voluntarily use MMS today. That's aiming their SMS use didn't trigger conversion of long texts to MMS though.

          1. Roland6 Silver badge

            Re: Who intentionally sends MMS messages these days?

            >On some networks you can't received MMS without first sending one

            But don't applications such as Hangouts, Viber et al allow the sending of MMS messages via a different route ie not through the telco's messaging centre?

            1. tony2heads
              Unhappy

              Re: Who intentionally sends MMS messages these days?

              Right:

              - I have turned off MMS upload (never used the system anyway)

              - I don't use hangouts

              - I never installed Viber.

              - Media playack by VLC

              What else?

              1. Lallabalalla
                Trollface

                Re: Who intentionally sends MMS messages these days?

                What else?

                Buy an iPhone.

                1. Roland6 Silver badge
                  Joke

                  Re: Who intentionally sends MMS messages these days?

                  Re: What else?

                  CEX are reporting good business in old Symbian Nokia's...

              2. Anonymous Coward
                Anonymous Coward

                Re: Who intentionally sends MMS messages these days?

                "What else?"

                Did you RTFA? You still gotta SMASH IT WITH A HAMMER.

              3. Michael Habel

                Re: Who intentionally sends MMS messages these days?

                Right:

                - I have turned off MMS upload (never used the system anyway)

                - I don't use hangouts

                - I never installed Viber.

                - Media playack by VLC

                What else?

                Why are you assuming that VLC... Is any safer then say Kodi?! Do you even know what Stagefright does?! Or would you just be assuming that its only something that gets installed along with Kodi?!

                FYI -- Stagefright is the Hardware Acceleration CODECs needed by your Device in order to playback pretty much every Media File you have, and unless I'm missing my guess here... This shall also include such mundane things like *.mp3's.

                So someone shall have to explain this one to my why VLC should be any safer then the next Player?!

                1. tony2heads

                  @Michael Habel

                  With VLC (if I recall correctly) hardware acceleration is optional -but the default is ON.

                  It won't even run hardware acceleration on some devices.

        2. Steve Evans

          Re: Workarounds

          I wonder how hard this would be to block at the MMSC end? Although we all know how much networks like to get off their arse and do something useful... They love acting as dumb pipes, but only when it suits them!

          Oh well, given I haven't received an MMS in over a year, I just mangled the details in the APN... That should keep things safe... At least until an update arrives, which I expect won't be long on my Nexus.

          I fear for the security of OEM devices though.

    2. GerryMC

      Re: Workarounds

      I'm just glad that I tend to disable hideously obtrusive apps like hangouts - I want text messaging, not a social network/video chat/photo app. I like apps that do one thing well, not get in the way with "cute" features.

      1. Mike Echo

        Re: Workarounds

        "hideously obtrusive apps like hangouts"

        One of the biggest incentives for me to root my phone was to take control of the Google bloat that was usually installed by default. Bye bye hangouts and quite a few other apps-that-always-update-but-I-never-ever-use.

    3. chasil

      Re: Workarounds

      Later Slashdot commentary suggests disabling several more stagefright booleans in build.prop; I have only left the recording entry enabled, and even that may be a mistake. I am running Alliance on exynos; stock may have more concerns. I've survived several reboots with stage fright lobotomized.

    4. Michael Habel

      Re: Workarounds

      Anonymous commenter at Slashdot suggests modifying the following entry in /system/build.prop:

      media.stagefright.enable-player=false

      (Root is required to modify build.prop)

      Great so I managed to kill off stagefright.... How the Hell do I use my seemingly legit Kodi Install (Google Playstore), to watch stuff on my Phablet now?! Speaking about Kodi I guess it would be an even higher infection vector, in the sense, that its raison d'etre IS to play Movies (i.e. Clips)... Not above the board. (i.e From unknown sources). While there hasn't been much said about it. I don't think this is the first instance of a Video managing to pw0n some System. (Thinking of Windows here),.

      But, Kodi (Formerly known as XBMC), or in some cases SPMC. Damned well nearly relay on stagefright to work. Assuming you wanted your Movies to actually work.

      1. Uncle Slacky Silver badge
        Linux

        Re: Workarounds

        Why not just use VLC instead of Kodi?

        1. Michael Habel

          Re: Workarounds

          'Cause VLC would as likely as not also rely on the Stagefright CODECs to Videos to actually work.... Since its actually part of the Android -- Linux System, and would NOT otherwise be included with Kodi, or VLC... It's hardly like we could expect them to fix it for us. I'd imagine a Patch in-and-of-itself wouldn't take the World to fix.... But, getting that Patch out to everyone who'd needs it, is. Google need to have a re-think about how to bypass the OEM's to allow those who need to get Security Patches, to then actually get them... FAST!

          Then again... With no credible third Mobile OS out there, they still have time.... I suppose. And NO WinPho... Is in my book anything BUT, credible.... As bad as Android might be.... I'd still would have it over WinPho every time. This just makes me wish that the Ubuntu Phone was a bit closer to reality now though.

    5. Roland6 Silver badge

      Re: Workarounds

      That workaround might block one attack vector, but note the vulnerability is in Stagefright - Android's media playback engine. Hence I wonder whether the attack merely needs to get the user to run a suitability crafted video using a viewer that uses Stagefright. The use of MMS is obviously concerning because of the various under the hood (ie. not visible to user and out of user's control) actions that can be automatically triggered via MMS.

    6. BillG
      Stop

      Re: Workarounds

      Anonymous commenter at Slashdot suggests modifying the following entry in /system/build.prop:

      media.stagefright.enable-player=false

      (Root is required to modify build.prop)

      Do NOT do this until further research is done. Users on XDA are reporting that disabling Stagefright in this way can result in an unrecoverable boot loop.

      1. chasil

        Re: Workarounds

        media.stagefright.enable-player=false

        Do NOT do this until further research is done. Users on XDA are reporting that disabling Stagefright in this way can result in an unrecoverable boot loop.

        Can you post a link to this discussion? I have already disabled several stagefright booleans in my build.prop and rebooted without issue.

      2. chasil

        Re: Workarounds

        I have found these two references on boot-loop problems disabling the stagefright booleans in build.prop:

        http://forum.xda-developers.com/showpost.php?p=62069940&postcount=8

        http://forum.xda-developers.com/showpost.php?p=62073754&postcount=18

        The user in the final post did not preserve ownership/permissions on the build.prop file. His boot-loop had nothing directly to do with disabling stagefright.

        I used the busybox vi editor with an external keyboard to change my build.prop, obviating this issue.

        I have seen no clear evidence that disabling stagefright will harm the Android OS if done correctly and with care (YMMV).

    7. chasil

      Re: Workarounds

      Here are additional resources:

      http://fkwon.blogspot.com/2011/05/android-toggle-stagefright.html

      ---

      https://github.com/CyanogenMod/android_frameworks_av/commit/57db9b42418b434751f609ac7e5539367e9f01a6

      "from (previous) git entry I would suspect meta data parsing errors.

      so in /system/boot.prop (root required)

      [code]

      media.stagefright.enable-meta=false

      media.stagefright.enable-scan=false

      [/code]

      However, one cannot be sure about this."

  3. cashxx

    But its open source

    But its open source, its all FUD! Open as it wide!

    1. Destroy All Monsters Silver badge

      Re: But its open source

      It is?

    2. Daggerchild Silver badge

      Re: But its open source

      As it wide indeed! Looked for, found and then patched, by an *independant* party? Meanwhile a weaponised Windows font hole had to be actively pried from the hands of the only willing bughunters proprietary code ever has: Hackers.

      1. Anonymous Coward
        Anonymous Coward

        Re: But its open source

        Patched where? On Google code repository only? Until patches reach the devices, they're not patched at all. Google is responsible for a system that can't be patched by end users.

    3. Your alien overlord - fear me

      Re: But its open source

      Wrong fanboi, Google's own apps are closed source, such as Google+ but any competent programmer can reverse engineer it. AOSP is the open source version of Android and it doesn't come with any Google bloatware.

      1. Pascal Monett Silver badge

        Re: any competent programmer

        That's about as useful as saying that gangrene can be taken care of by any competent surgeon.

        Sure it can. You know how many competent surgeons, exactly ?

        The scale of this issue is such that EVERYONE needs a solution, not just the competent programmers.

        If solutions were only made for competent programmers, the IT industry would have been dead in the water 20 years ago.

  4. Destroy All Monsters Silver badge
    Paris Hilton

    Dafug?

    I have the weird feeling the bugsies are getting better every week...

    1. Khaptain Silver badge

      Re: Dafug?

      The hackers have the advantage of time... Anyone that new +ORCs tutorials would have known his Martina-Wodka, one of his essential cracking tools...

  5. Anonymous Coward
    Anonymous Coward

    What if a blocker removes any MMS outright?

    Will that still trigger the bug?

    1. Eddy Ito

      Re: What if a blocker removes any MMS outright?

      Since stagefright seems to be what android uses for hardware accelerated decoding I would imagine that the attack vector isn't that important. MMS is what makes it automatic since it appears to bypass any user interaction but I expect an attack could be done with email or facebook and most security unconscious folks would be happy to "Watch this video, it's sooo funny, LOL" if sent from someone they befriendified (if that's a word) online.

    2. Anonymous Coward
      Anonymous Coward

      Re: What if a blocker removes any MMS outright?

      I wouldn't depend on that. You'd be relying on the blocker removing the MMS before StageFright processes it which isn't going to be guaranteed.

  6. Nate Amsden

    filter at the telco level?

    I would think it is technically possible to inspect and filter at the carrier level for this kind of thing, since this is processed through their systems(and not some random web page or email or something).

    Maybe they don't have this capability, if not not a bad ability to have.

    1. Terry Barnes

      Re: filter at the telco level?

      You, erm, want them to inspect the content of your messages before they are sent to you? I think quite a few people would get cross about that.

      1. Charles 9

        Re: filter at the telco level?

        Not to mention that would make the ISPs legally liable and culpable for the content. IOW, they can now be sued or even charged criminally for not policing their network if they exploit the capability.

        1. Malcolm Weir Silver badge

          Re: filter at the telco level?

          Nonsense.

          In the UK, telco's filter over-the-air content all the time (and are in fact required to do so). You can request that they turn the filter off, but you have no legal comeback if they filter something you want.

          It's just false to assert that an ISP would somehow become liable for anything if they blocked malicious MMS traffic. Particularly since this is exactly analogous to efforts to block what used to be called "phone phreaking": techniques to misuse telco systems to achieve nefarious ends.

    2. Adam 1

      Re: filter at the telco level?

      OK, assuming some sort of signature based pattern can identify the infected video, why involve the telco at all? That would mean that the hangouts app itself could perform the scan before sending it off for preview. This is important, because hangouts can be pushed through Google play as an update.

      Although it wouldn't eliminate the attack vector (too much insufficient storage-esq errors on old devices), the attack surface would easily and quickly halve.

      OK Google, you've got 90 days.

    3. jporcina
      Megaphone

      Re: filter at the telco level?

      The MMSC of any mobile network usually incudes a virus scanner for the attached media.

      Unless the Mobile Operator has negelected this feature the MMS service will prevent the spread of any such "Stagefright" exploits.

      Note: This came to light from a research lab not from real-world evidence of exploits. Remember the Apple icloud hack?

  7. JakeMS
    Alert

    Damn!

    Damn! See this is why the very idea of locked down/DRMed devices is bad[1][2].

    When something critical like this happens many users cannot simply apply a patch to fix it, they are stuck with a device that is exposed and the only way to resolve it is to hope the manufacture releases a patch.

    Sure, you could install a custom rom to fix this, but this may not always be available for all android phones, for example, my android phone does not have this option.

    Thus, I now need to buy a new phone[3][4] :-/

    [1] I know android its self is indeed open source, but many (most?) mobile phone manufactures put various locks in place to prevent easy user modifying of the installed firmware.

    [2] I am an open source, anti-drm supporting nut job.

    [3] Typical, I just got my phone set up the way I like it.

    [4] More money spent.. so much for saving up for that 1967 Shelby Fastback Mustang..

  8. goldcd

    Meep.

    I'm a great big fat android fanboy - but I'm this is why Android is bad.

    Apple (for better or worse) to seem to support their hardware: https://en.wikipedia.org/wiki/List_of_iOS_devices#Highest_version_of_iOS_supported

    Or at least if you're a 4S or beyond owner, they seem to have you covered.

    With them you're getting updates for a 4 year old device, but in world of premium android you seem to get a "gentleman's agreement" on 2 years, and then you're on your own.

    Still, not quite as bad as it seems for Android - Google with "play services" seem to have been incrementally pulling more updates under their control, but it's still a bit half-arsed.

    Bit that always bemuses me though, is why they don't just embrace the Windows PC model (or probably more accurately the Windows PC laptop model) - with a Linux twist.

    There's less variance in phone hardware than there is on your average PC - buggered if I can't think of a reason you can't roll a "Google Play Installer" that checks components, and installs the relevant drivers.

    Has anybody actually bought an Android phone, due to the OS modifications in the last few years?

    1. Anonymous Coward
      Anonymous Coward

      Re: Meep.

      "Bit that always bemuses me though, is why they don't just embrace the Windows PC model (or probably more accurately the Windows PC laptop model) - with a Linux twist."

      It's the chipset manufacturers that are blocking that plan. Many of them design SoCs and specialized chips as highly-competitive black boxes (because they don't want to Give Information to the Enemy). Unlike in the PC world where most stuff was based on discrete standards, a lot of ARM-based hardware relies on proprietary arrangements covered in trade secrets and NDAs. Some manufacturers are more forthcoming, others aren't (some like Allwinner even violate the GPL it seems but don't care because they have connections).

      1. Daggerchild Silver badge

        Re: Meep.

        (because they don't want to Give Information to the Enemy)
        or let the enemy know they have some of their tech behind this veil, maybe, nobody's sure where tech ends and lawyers begin anymore these days.

    2. David Webb

      Re: Meep.

      Or you root it and stick on a custom rom and update it until you find the phone isn't powerful enough for your needs, I think that is the main beauty of Android, you have options. With Apple you're stuck, once they stop bringing out new updates for it, you're stuck with whatever version they decide you should have, so upgrade your phone.

      Naturally I'm with Windows Phone, security by obscurity, best method, honest guv'nor.

      1. Dan 55 Silver badge

        Re: Meep.

        Although you do need someone technically competent or a technically competent team compiling the custom ROM for your phone, not a primadonna compiling an unofficial version of CM which lasts about an hour between reboots and ignoring all the bug reports. Not the best criteria for buying expensive hardware.

      2. TheVogon

        Re: Meep.

        "Naturally I'm with Windows Phone, security by obscurity"

        Security by lowest vulnerability count too versus Blackberry, Android or IOS.

    3. Charlie Clark Silver badge

      Re: Meep.

      With them you're getting updates for a 4 year old device, but in world of premium android you seem to get a "gentleman's agreement" on 2 years, and then you're on your own.

      That's the legal requirement in the EU. Some of this stuff simply needs challenging in the courts.

      Things are often complicated by carriers running their own shit on top of the manufacturers' shit making which makes development and test take a lot longer. But some court rulings could really help in establishing the various degrees of liability.

      Apple's support is great as far as it goes. Anecdotally, however, I've been told that after about 3 years performance on the latest IOS seems to be so poor that new hardware is best solution. And app devs on IOS seem to march in lockstep with the IOS versions, meaning that OS upgrades are often required if you want to use the latest version of an app.

      There's less variance in phone hardware than there is on your average PC

      That simply isn't true. The lack of an ISA (industry standard architecture) has led to a raft of proprietary SoC's that all do things differently.

  9. Anonymous Coward
    Anonymous Coward

    Something of a delicate situation here. It's hard to force a manufacturer to support something that's about two generations old. The only reason vehicles have stricter standards is because lives are on the line (a defect that causes a fatal accident = wrongful death suits). Worse comes to worse, they could just drop out and leave everyone hanging. Then there are the carriers who insist on their customization or the phones don't get sold in their stores, period. No phone apart from iPhones has enough direct consumer draw to dictate terms to carriers.

    1. Vector

      I wondering what legal remedies might be available. Since you bought the phone with a tacit understanding that it would be functional for some period of time, and this vulnerability could compromise your financial information, if nothing else (certainly your personal information), failure to correct it might leave manufacturers/carriers liable. But, of course, IANAL. Any IAAL's want to chime in?

      1. Malcolm Weir Silver badge

        Legal remedies available: none.

        The thing you bought is as functional now as it was when you bought it

        Then, as now, it was vulnerable to some number of attacks, and if those attacks compromise your financial information, then that is a criminal act on the part of the attacker. Your agreement/contract/tacit understanding with the vendor in no way includes liability on the vendor for criminal acts of third parties.

        Your theory is as daft as asserting that the people who made your wallet are liable if you get mugged and the mugger steals the cash out of it.

        1. John Brown (no body) Silver badge

          "Then, as now, it was vulnerable to some number of attacks, and if those attacks compromise your financial information, then that is a criminal act on the part of the attacker. Your agreement/contract/tacit understanding with the vendor in no way includes liability on the vendor for criminal acts of third parties."

          On the other hand, it might be argued that it is a fault which was in place at the time of manufacture or purchase.

          1. Malcolm Weir Silver badge

            OK, let's argue that. If the vendor had no knowledge of the defect at the time, how do you draw a line between "bugs" and "features"? Remember, while we're talking about something that I suspect most people would agree is a bug, how do you draw a bright line between defects that require fixing, and defects that are of the "it just doesn't work the way I think it should" variety? Some may be easy to categorize, but others...?

            And what constitutes an acceptable fix? Could a vendor (e.g.) provide a patch that simply turned off this Stagefright feature? Because it could be argued that nowhere did they explicitly state the expected behavior; rather "you" assumed that it should behave in a given way.

            It's tempting to want consequential liability and warranted functionality, but to be honest we've (all) been buying software for decades without it, so you'd have a really tough time trying to insist on it now on a commodity item like a phone.

        2. P. Lee

          >Your theory is as daft as asserting that the people who made your wallet are liable if you get mugged and the mugger steals the cash out of it.

          Not really.

          There is an inherent defect in the product. I don't think anyone would suggest that the bug is included under the banner of "works as expected."

          The main issue is the complicity in customers accepting two years as an acceptable life span. I'd be pretty upset if HP gave me a two year life for a laptop, server or switch and expected me to buy new hardware because they couldn't be bothered to work with MS and the Linux chaps to make sure their kit kept working. Apple's billions seem to be leading the phone industry into an entitlement to profits mentality.

          Is it time to pull the plug on proprietary phones? I know everyone wants to be Apple-successful, but most companies are not Apple, probably couldn't be Apple even if given the chance, and their customers are reasonably ok with that. We need a base-Android OS on top of which applications are added. The whole point software layering is so we don't have to worry about the lower layers. We don't seem to have that any more with everyone (Apple, Google, MS, Samsung) wanting to own the entire stack - the OS and all the apps.

          Perhaps Google need to man-up and provide leadership. They need to tell licensees to get their act together and support customised versions of Android for longer or stop shipping them. They should ship stock Android and add custom applications on top.

          1. Malcolm Weir Silver badge

            Look, you want a service contract, go buy a service contract. Otherwise, how on earth can you demand that a product you bought yesterday be guaranteed to be upgradeable to a product released tomorrow? It's just preposterous.

            And your example is simply inaccurate. The hardware (from HP or otherwise) doesn't stop working the way it always has, it just becomes vulnerable to recently discovered issues. After a 1 year warranty (or whatever), why should you get free updates simply because you want them? Sure, many companies do provide them, for whatever reason, but the issue is whether you have a right to such updates for no other reason than your opinion that the thing you bought should have a lifetime of whatever you think it should be!

            And the example cited here of Apple being good at this is simply laughable: Apple patches things when they want to, and they have a long track record of being slow to roll patches out. They were also very late to OTA updates, and so on. I have a pal who is still chugging along on his old PowerPC Mac running the software it ran back in 2004. From his standpoint, until it dies, it does exactly the same job it did when he bought it, and any change would cost him time and money, and the fact that you or I might have a reason to change doesn't mean that he would agree with either of us!

            1. Triggerfish

              Look, you want a service contract, go buy a service contract. Otherwise, how on earth can you demand that a product you bought yesterday be guaranteed to be upgradeable to a product released tomorrow? It's just preposterous.

              Hows this different from recalling a car that has software vulns then?

    2. Paul Crawford Silver badge

      Carriers monkey with the OS/apps, then the carriers should fix them. It is high time that the law treats this sort of thing as a fault to be fixed for, say, 5 years after last sale. For everyone, so no supplier can wriggle out and not have to pony up to fix the damn software.

      1. Malcolm Weir Silver badge

        Five years? Why not fifty? Or a hundred?

        Seriously.

        What you're actually asking for is something like a service contract where, as long as pay the premiums, they undertake to fix any flaws. But I'll bet the take-up ratio of that sort of model would be very low, because the consumer wants a cheap gadget, and the fact that you want the vendors to be liable for some indeterminate amount of work for however long you want them to be liable will have a predictable effect on the price (hint: upwards). So does the average punter want to pay for what you want them to have, or what they are OK with getting?

      2. Anonymous Coward
        Anonymous Coward

        Five years' support?

        No problem, that'll be $3,000.... or $100/mo on a 5-year contract.

      3. Charlie Clark Silver badge

        Carriers monkey with the OS/apps, then the carriers should fix them. It is high time that the law treats this sort of thing as a fault to be fixed for, say, 5 years after last sale. For everyone, so no supplier can wriggle out and not have to pony up to fix the damn software.

        Five years is excessive. I'm not sure if the length of the warranty is really the problem. As you point out there are a lot of parties involved in any rollout. The law should be used to streamline the distribution of security patches. The threat of legal action backed up with stiff penalties can work wonders.

        This might be good in getting the carriers out of the mix, to which they add so little. Manufacturers might also be forced to pool resources for development or otherwise face a levy to a statutory body.

        Some thought would be need to given to older hardware which is no longer able to support the latest version of an OS. Backporting will only work so for so long. Might have to introduce official restrictions on older hardware. It's not really that different to phasing out things like analogue mobile phones. Carriers should be able to enforce this.

        Just some ideas.

        1. Charles 9

          "Some thought would be need to given to older hardware which is no longer able to support the latest version of an OS. Backporting will only work so for so long. Might have to introduce official restrictions on older hardware."

          And then you'll be playing right into the paranoid's hand since they figure old hardware is the only way to prevent Big Brother from watching you.

        2. John Brown (no body) Silver badge

          "Five years is excessive."

          Really? I don't think it's excessive. All items bought in the EU are covered by a default two year warranty buut consumer law includes free parts and labour repairs (or is it just free parts?) for, in some cases, many years after that warranty expires. I think the term they use is "reasonable life" or something similar. The Uk Govt. has a website somewhere with a non-exhaustive list of examples, eg a TV or a fridge should offer at least five years of life, the manufacturer being responsible for repairs or a pro-rata refund if it's not repairable.

          I'd certainly expect a phone to still be usable after five years without it being "unsafe" to use and for for fixes to the OS to be available.

    3. Orv Silver badge

      Don't kid yourself -- the only reason vehicles have stricter standards is they're REQUIRED BY LAW to have stricter standards. Car companies would rather take the risk of lawsuits; they only do recalls on older models when forced to by the government. But things like mandatory recalls and lemon laws exist mostly because a car represents a significant investment in a way a phone doesn't, and so people pushed for those protections. Phones are considered disposable. Some, like Samsung's Galaxy offerings, arrive with so much crapware that after a couple years they can't even install app updates anymore.

    4. Anonymous Coward
      Holmes

      All it takes is one liability judgement that "because hacking" phone failed and severe bodily injury or loss of life resulted. I wonder if anyone is nosing around for a test case? Or more accurately, circling given that this involves lawyers.

  10. Paul Crawford Silver badge
    Facepalm

    First Android worm?

    Of course it could send itself to everyone in your contacts list, and to everyone they know...

    Nice. Maybe Google and the phone makers should face a class-action suite if they don't fix it? MS must be laughing at the same sort of mistakes being made a decade later.

    1. Daggerchild Silver badge

      Re: First Android worm?

      Hrm. You might be able to distribute a patch like that :)

      Annoyingly, it's probably the *only* way most would ever get fixed.

    2. Justicesays
      Devil

      Re: First Android worm?

      After a few iterations all the phone networks in the world would be overwhelmed with SMS, permanently, just have to make sure you *don't* check if the phone is already infected before sending out the new SMS's!

  11. Kevin McMurtrie Silver badge

    Service pack

    As much as I distrust Microsoft, having them help fund Cyanogen is probably the best way to wrestle OS control away from carriers that have no intention of updating phones. Cyanogenmod is lacking stability and usability in many ways, but at least it's always making progress.

    1. chasil

      Re: Service pack

      Let me rephraise that.

      Microsoft, PLEASE SAVE US FROM GOOGLE! Those people have no idea what they are doing, and we are tired of reinventing the Windows-95 era update.

      PLEASE PLEASE PLEASE fork Android into something that can be patched! We will be yours forever, and rue the day we cast aspiring glances elsewhere.

      Google, I do hope that you are listening. What comes next for you is neither what you expect nor want.

      It is, however, what you deserve.

    2. David 138

      Re: Service pack

      Half the time is abandoned by the manufacturer. I don't think anyone should buy a phone that isn't a Nexus variant if you want a good experience with android. Cyanogen and all that bollocks can sod off as well, half the time they seem like they are about to fragment. Its a die hard few, or people with abandoned phones that turn to it.

  12. Paul

    can you not simply disable the MMS service centre in the APN settings?

    who cares about MMS anyway?

    1. Gob Smacked
      Stop

      I changed the APN settings for the time being:

      - Suffixed a ".not" top level domain to the MMSC parameter to make it unresolvable;

      - Prefixed "1" to the MMS Proxy Port number to send it into oblivion.

      This is easy enough to undo once the coast is clear again.

      1. Anonymous Coward
        Anonymous Coward

        yeah but...

        How many average Android users would know how to do that?

        so they carry on as before using their device blissfully ignorant of the disaster about to happen when they open a vid sent from a friend.

        As has been said, this is the problem with Android. Makers stop updating devices as soon as they can get away with it. My old HTC device got ONE update. That was it. All support was pulled 6 months after first sale.

        That was one of the reasons I ditched smartphones alltogether and went back to a dumb Nokia.

    2. Tabor

      "who cares about mms anyway ?"

      I do. I don't use it that often, but if needed I do. Your comment is basically the same as an iPhone user saying "So what ? Just hold it differently".

  13. Nanners

    Panic! Here comes karma bitches ...

    seems I remember an article a few weeks back about an apple text exploit that all the android guys were just gushing over? Yeah....

  14. azaks

    Vulnerabilities in Android?

    who could have guessed?

    This plus the pile of Chrome exploits reported externally to google a few days ago. Maybe Project Zero should spend more time looking at their own mess rather than everyone elses...

  15. Destroy All Monsters Silver badge
    Paris Hilton

    Day of the Living Deadroids?

    So we have some headlining with 10⁹ phones, revised to 0.95 x 10⁹. Is this indeed the number of devices corresponding to "any phones running Android older than 4.1"? If so, how many of those are still in active use and how many are toxic wastevalued recyclable material?

  16. Not_The_Droids

    Some may have been patched...

    I'm on Cyanogenmod 12.1 Nightlies on my Oneplus, and it was "supposedly" patched some time last week or so. I have been updating on Fridays. Also by running TK Gapps, I can minimize the Google bloatware to just what I want installed - no Hangouts, no Books, Movies, blah blah blah. See https://plus.google.com/+CyanogenMod/posts

  17. Anonymous Coward
    Anonymous Coward

    there are alternatives

    WM launches this fall. The 950 and 950XL sound great, think I'll go with one of those over a POS on Android.

    1. Daggerchild Silver badge

      Re: there are alternatives

      Friend bought an early Lumia. You could lock it up with an MMS. Good luck!

  18. Anonymous Coward
    Anonymous Coward

    How long before the first malware that infects a billion people?

    Maybe it doesn't happen this time, depends on how easy this bug is to find. At any rate there are surely plenty of other bugs lurking in Android that can be remotely triggered in a similar manner. Find one and have it text a random assortment of the infected phone's contacts, and it would spread across the world in a matter of hours. What is done with a billion phone botnet, who knows, but it probably won't be good.

    You don't even need Android's famously crappy updating for this. It would spread so fast that if you found a zero day that infected iOS 7 & 8 in a similar manner you'd own 95% of all iPhones in the world even if Apple turned around a patch in 24 hours.

    Someday we're going to wake up and know what the Morris Worm would have been like if it had infected five orders of magnitude more devices.

    Microsoft ought to immediately start a black project researching for bugs like this in both Android and iOS. Brick a billion phones and a lot of people won't buy the same kind they had before - this may be Microsoft's only hope to get any market share in the mobile market :)

  19. Syntax Error

    Android platform is useless for security. NSA and GCHQ must be laughing. We must remember that Google is only an advertising company.

  20. Christian Berger

    Mobile operating systems simply are _far_ to complex

    What we need is a simple system without the attack surface of some hugely overcomplex pseudo object orientated system. Essentially something close to what the "suckless" people make, a simple way to switch between virtual framebuffer terminals. A system designed not by some clueless user experience designer, but by someone who actually uses it.

    There are billions of mobile phones out there, surely there's a market for phones which don't cater to the lowest intellectual denominator. Let's build mobile devices for people who don't need an app to tell them when to drink.

    1. Anonymous Coward
      Anonymous Coward

      Re: Mobile operating systems simply are _far_ to complex

      "a simple system without the attack surface of some hugely overcomplex pseudo object orientated system. "

      Whatever did happen to Symbian?

  21. Anonymous Coward
    Anonymous Coward

    crappy title

    MMS not TXT.

    1. Anonymous Coward
      Anonymous Coward

      Re: crappy title

      Meanwhile the title has changed, and a hammer was added.

  22. Anonymous Coward
    Anonymous Coward

    Dammit

    Guess the folks that own older (ie non updateable) 'Droid phones are SOL then.

    It does raise a point though, if a serious vuln is found for an older device which a lot of people still use because it has superior functionality to say a Crackberry then should the manufacturers be required to provide a fix?

    I recall reading that some older Iphones can still be sent back to Apple for a battery replacement, maybe its time to have a similar system for software vulns?

    1. Anonymous Coward
      Anonymous Coward

      Re: should the manufacturers be required to provide a fix?

      well, either a fix, or the necessary source code so that we or someone else can fix it.

      /not holding his breath

  23. eJ2095

    ERm

    People still use MMS?

  24. jb99

    What?

    This makes no sense.

    It says you phone can be affected by *text* messages then talks about video?

    Really? Is it text or is it video? Is this like someone types in a description of what they can see and sends that?

    1. Charles 9

      Re: What?

      It's referring to the Multimedia Messaage System (MMS), which uses the Simple Message System (SMS) as a conduit to enable phone users to pass multimedia attachments around. Think of it like a form of e-mail attachment. The text is sent that contains information for the phone to know where to connect to download the actual file.

      Where the problem lies is that Android, like many other smartphones, tries to go one step ahead of you so you don't get frustrated in waiting. They pick up the attachment ahead of time after it receives the text, sets it up for you to see, and THAT'S where the exploit lies.

  25. naive

    F*ck you google !

    Apology for the use of bad language, nothing, except being cynical, can word this well.

    $1000,- for someone detecting a fatal flaw on a billion phones ?, selling phones full with crap apps but no root access to remove the stuff ?... no updates for 2 year old phones in the $500,- range ?...

    I hope the lawsuits against Google will make the ones against Big Tobacco look like child play, unless they give us root or updates. It is my phone, not googles so give me root.. like today !

    1. Big_Ted
      Facepalm

      Re: F*ck you google !

      My god what a sad post....

      Google dont sale many phones and certainly not a billion of them, manufacturers such as Samsung sale them.

      Google have already according to the story provided those patches etc to them as if you don't get it ask your phone maker why not , not Google.

      As to root access etc, Google phones ie Nexus phones have root access very easily so you can do what you want with it.

      As to 2 year old phone updates, again ask Samsung etc not Google.......

      1. naive

        Re: F*ck you google !

        Your post is spot on when it comes to the facts, and mine is indeed incorrect.

        But being factual correct was not the point of it. It is just weird that someone starts making a smart phone OS, manages to get 85% global market share because it is good enough and given away for "free", but then nobody is responsible for updates.

        The point was also not to to go into "you can install a custom ROM" we all know that, but 95% of the users won't bother, they just sit on an insecure product.

        In 2008 the first Android phone was released, we are now 7 years further, google did nothing to solve this, knowing how dangerous it all is from a security point of view to do nothing. When this type of issue surfaces in 2015, google is clearly to blame for its lethargy towards the phone manufacturers in enforcing updates.

        I guess the government has to step in to tell this bunch of toddlers that updates are obligatory for at least 3 years, EU warranty period for electronic devices.

  26. Anonymous Coward
    Megaphone

    Enable vector 2

    For years IT people have been dealing with PC security but at least felt they could take some steps to reduce the risk, filtering at the firewall, chose antivirus and antimalware, install local policies, decide (to some extent) what software was installed.

    Then came phones, at first they were simple devices that didn't do too much, now they are multiprocessor, gigs of ram, computers in your pocket, but most that "control" stuff has been stripped away and people even get offended if you dare to infer that facebook, messaging or a million cool apps are anything other than business critical. BOYD has fucked up a lot of business security, seriously someone needs to stand up and properly weigh the value of handing over critical data to companies that are more interested in harvesting your information and contacts than protecting your livelihood.

    I don't just mean Google, most of them are at it and the BYOD moniker is just a smoke screen for data rape.

  27. Tubz Silver badge
    Thumb Down

    Now the conspiracy theorists would say this was a deliberate hole left by Google and the manufacturers to force you to buy a shiny new phone !

    1. gnasher729 Silver badge

      That's unlikely because if you have to buy a new phone because of a deliberate hole left by Google and the manufacturers, would you buy one of their phones, or would you go for an alternative?

  28. roo+

    This is why people should opt to buy only pure android phones. I had an HTC once and I hated that I could not get rid of cr*p software without rooting the phone. Since then only Nexus or pure Android phones. If more people do this then the manufacturers will have no option but to give in to demand.

  29. Thaumaturge

    What the hell is an update?

    Never seen one. Tried forcing a manual check...."You've got the latest version! "

    Luckily Hangouts was one of the first things I chucked out.

  30. heyrick Silver badge

    Oh look.

    Something else that's probably a one module patch that Android can't do because its update mechanism is shit and requires all of the manufactures and carriers to be complicit in making compete and full updates of everything just to perform this one small change - and most just aren't interested (old model = no profit).

  31. lvm

    My phone (galaxy s5) has 'auto retrieve' checkbox in MMS settings. And it is unckecked - clever me.

    1. Stumpy Pepys

      I've just done the same thing. Does this mitigate the problem?

      Not that I can remember anyone ever sending me an MMS. My dad did once, possibly.

  32. No Quarter

    Hangouts

    At least you can disable Hangouts.

    But it would be nice if you could remove it with all the other shite that is stuck to your device like Facebook and Weibo.

  33. TheProf
    Unhappy

    Aww cr8p

    Well all this advice doesn't help ease my mind.

    I received a MMS on Saturday. It claimed to be from Vodafone (it had a 4 digit short code) but I deleted it. I remember the 'pay £1.50 to view a video' scams a few years back and though it was one of those.

    Have these evil-packed MMS been seen in the wild or are they still in the labs?

    Edit: I'd blocked the phone number. It was 9774. Appears to be a number Vodafone use.

    Anyone else had marketing MMS from Vodafone recently?

  34. Anonymous Coward
    Anonymous Coward

    It's quite a complex issue this that I think requires legislation.

    If I buy a phone I think it reasonable to get told how long my device is going to be supported and that any issues such as this that arise will be fixed. Therefore I can make an informed choice as to whether I'm going to buy the phone. This is already the case with TV's Washing Machines cars etc... and their warranty. It would be interesting to know whether the software is covered in those warranties as has been stated previously if the device is working within it's parameters then it technically isn't faulty, it may be wide open to abuse but until someone exploits it then there isn't a fault.

  35. aphysicsguy

    Great

    I guess my Samsung S4 is screwed then - can't see any more updates coming for a >2 year old phone.

    I have nuked MMS settings - but how do we know that this exploit wasn't already known to crims and whether our phones are already compromised?

    1. Charles 9

      Re: Great

      I think the S4 is still on the Lollipop list, so it could still be updated.

  36. Yugguy

    Mitigation

    Ok, so all the google bloatware shite like Hangouts got disabled about a millisecond after I got the phone.

    I'm running Lillipop

    How does the worm get into the MMS message? Does it need to be deliberately planted or can it latch on to any pic in your phone?

    If deliberate then as I would only open MMS messages from trusted sources I should be ok?

    1. jason_uk

      Re: Mitigation

      Haven't looked into the details but presumably one would "exploit the exploit" with a specially crafted image containing some code.

      If (huge if) this is already in the wild it's not impossible that it sends itself to contact lists etc so "trusted sources" (e.g. family/friends) becomes a meaningless term.

    2. Teiwaz
      Coat

      Re: Mitigation

      > "I'm running Lillipop"

      Is that the cut-down version (as in Lilliput)?

      Sorry, couldn't resist...

  37. smartypants

    Bloody tools

    This, and the next gazillion exploits, are the result of this simple recipe:

    1) Take a human - any one will do. They all screw up.

    2) Take a language. They all have their flaws, but pick one that doesn't seem to give a damn what you do with memory, like C++.

    3) Blend and wait.

    It's the 21st century now, and, as someone who was coding C++ when there wasn't even a compiler for it I just wonder why it and other languages with similar flaws still being used so much? Sure, there may be a small percentage of situations where the bare-metal speed is worth it, but when you're writing software that will be deployed on a significant proportion of the devices in existence, using languages that make things hard to test and that so brilliantly hide the mistakes of us fallible humans seems positively stupid.

    Can we stop now?

    (I will not suggest another language. I've learned about 5 in the last year alone and I'm exhausted. Please agree amongst yourselves and I'll learn that one!)

    1. Anonymous Coward
      Anonymous Coward

      Re: Bloody tools

      "Sure, there may be a small percentage of situations where the bare-metal speed is worth it, but when you're writing software that will be deployed on a significant proportion of the devices in existence, using languages that make things hard to test and that so brilliantly hide the mistakes of us fallible humans seems positively stupid."

      Except that ARM chips aren't exactly the most performance-friendly chips on the market. They're just cheap and easy on the power (a boon when on batteries). But customers STILL expect good performance out of their devices even down the road. Sluggish performance becomes an increasingly common complaint as a phone ages. Even my S4 shows some oddities now and then. And let's not start on the memory limitations and so on. Phones are closer to the embedded world than the PC world in terms of architecture, and embedded developers will tell you a thing or two about delivering performance while under constraints. If you've got a highly-competitive market where the customers demand everything yesterday and doing nothing may not be an option, what do you do?

      1. smartypants

        Re: Bloody tools

        My arm-powered phone has 4 cores. A single one of them is far faster than it needs to be. The excuse that we need to use a dangerous language in mass market devices doesn't exist anymore.

        Most of Android is built in Java,not c++. I'm not advocating that language, but just pointing out that outright bare metal performance is less important than other concerns, e.g. Security.

        I would rather trade in 10 or 30 percent in performance if that makes my phone significantly less prone to such exploits.

        1. Charles 9

          Re: Bloody tools

          "Most of Android is built in Java,not c++."

          Except performance-intensive stuff IS native-coded. And multimedia stuff tends to fall into that category: especially anything involving video. And even my S4 (also a quad at nearly 2GHz per along with a good mobile GPU chip) has difficulty doing 1080p H.264 video with subtitles (not starting with H.265). A 10% hit can mean the difference between a decent enough playback and one too herky-jerky to be satisfactory. And most consumers think opposite to you. "Screw security; I just wanna get stuff done!" Meaning you're outvoted.

    2. Nick Ryan Silver badge

      Re: Bloody tools

      Isn't this video processing? That's not something you'd want to do in anything other than as efficient a way as possible, particularly on a mobile device.

      I'm shuddering right now at the thought of a video decoder written in C# with regular pauses in playback when the garbage collector kicks in. Yes, I know that smart coding and a sensible approach from the start can mitigate this but then this is another complication - https://msdn.microsoft.com/en-us/library/ms973837.aspx.

      1. smartypants

        Re: Bloody tools

        "I'm shuddering right now at the thought of a video decoder written in C# with regular pauses in playback when the garbage collector kicks in."

        This is the 21st century and we're talking about mobile devices right? Why don't you just use the hardware-implemented codecs on the hardware (via the SDKs)? I can play real time video on my phone's browser, or from within an app, without having to get my hands dirty writing c++ codecs.

        The piece of software relating to this particular security nightmare wasn't even something that would be bothered by GC.

        I don't use C# but they've got it right when they named the 'unsafe' declaration. Golang was written because Google realised it was stupid putting C++ in the hands of ordinary people and expect them not to end up with an exploit-ridden rat's nest.

        We're not going to fix humans any time soon. So the tools should change. Stuff the bare-metal performance (at least for situations where security is important - i.e. most of the stuff people use from day to day for online banking, shopping, communicating etc.)

        1. Charles 9

          Re: Bloody tools

          "This is the 21st century and we're talking about mobile devices right? Why don't you just use the hardware-implemented codecs on the hardware (via the SDKs)? I can play real time video on my phone's browser, or from within an app, without having to get my hands dirty writing c++ codecs."

          Because time marches on. Codecs get improvements and eventually get replaced with entirely new ones. Hardware H.264 can have trouble when handling bleeding-edge video files that push the codec to its limits. And they're absolutely worthless for the new wave of H.265 video.

  38. Lallabalalla
    Gimp

    I don't know how to do any of that clever stuff

    but open is better, right?

  39. Ben Boyle
    Joke

    Yay!

    On the plus side, I have an Android phone on AT&T and half the time MMS messages never deliver content anyway, so I guess AT&T can start claiming that as a "security feature".

    1. Anonymous Coward
      Anonymous Coward

      Re: Yay!

      That's a bug with your phone or the cell tower you are connected to. I'm with AT&T and get MMS messages on my iPhone all the time, never had a problem like that except in a handful of times when I was at a football game or concert where the local cell towers were completely overloaded.

  40. David 164

    So Google could/should be able to issue a patch for Hangout to stop pre processing videos for now until manufactures pull their fingers out and issue a over the air update for android, an other messaging apps under it control. An other messaging app providers could provide the same fix fairly quickly as well, especially the big guys like Facebook and WhatsApp.

    We will see how seriously the messaging apps themselves take this bug.

  41. jzl

    Android: the new Microsoft Windows.

  42. Anonymous Coward
    Anonymous Coward

    A Flaw? Fix this one another will take it's place.

    Eventually people should be able to see that such "flaws" really are undocumented features. The demand by the NSA that encrypted hardware and software without such flaws be illegal should be a hint that at least some flaws have not been accidents.

    Unless of course peoples default setting is to believe companies and governments are genuinely honest and do not wish to misinform. In which case they will fix this, our data is safe and what a nice day it is again.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like