One malicious MMS is all it takes to pwn a Samsung smartphone: Bug squashed amid Android patch batch Samsung has patched a serious security hole in its smartphones that can be exploited by maliciously crafted text messages to hijack devices. It appears no user interaction is required: if Samsung's messaging app bundled with phones since 2015 receives a booby-trapped MMS, it will parse it automatically before the user even …
Of course automatic thumbnail previews are part of the vector.
I think eventually we'll discover the invention and widespread implementation of these was a highly successful conspiracy by malware authors carefully infiltrated into major software shops across the industry, since they serve no other obvious purpose.
I have a 4 years old Samsung "J2-6" (if I remember the model number right). I just checked in the Messages app, and under "Multimedia Messages" I see "Auto retrieve" is off.
I'm pretty sure I would done that during a permisison sweep when I first got the phone, so granted, it may not be the default, but as it stands, I very much doubt this is "zero-click" for my phone.
And since I know *no one* who would send an MMS (with Whatsapp being near ubiquitous) if I did get one I would probably just delete it sight-unseen.
Now, if you can send this via Whatsapp... now that would be a story!
I think you missed the part where it says "no user interaction is required".
You don't need to open it for it to wreak havoc on your phone, it just needs to get to it. That's a bit of a problem. And that was an understatement.
There are two bug numbers quoted in this article
Cve (common vulnerability and exposure) which is at 2020-12637 and covers most of the products out there
Save (Samsung vulnerability and exposure) is at 2020-16747 which if I am reading this correctly Samsung has found more security bugs in its own products than the cve has listed for all security bugs....
Wow..... unless I am reading the numbers wrong
I did this after the first android media bug came out many years ago. There's been tons since and probably tons more in the future. Doesn't eliminate the vulnerability of course but allows you to ignore random mms from people you don't know which reduces the likelihood of getting hit probably by 99.999%.
Kind of shocked at this point there isn't more protection or sandbox or something around the messages app. It's probably been at least 4 to 5 years since that first one made big news.
Why is it that Google research teams can find complicated potential exploits but they can't find their own abusive customers? Abuse complaints have been filed and Google has even indexed the evidence from abuse tracking web sites. Is hosting a global army of phishers and scammers not a security threat?
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
