Main Area and Open Discussion > Living Room

Security: Stagefright Vulnerability (Android)

(1/3) > >>

ewemoa:
Six critical vulnerabilities have left 95 per cent of Google Android phones open to an attack delivered by a simple multimedia text, a mobile security expert warned today. In some cases, where phones parse the attack code prior to the message being opened, the exploits are silent and the user would have little chance of defending their data.

--- End quote ---

via: http://www.forbes.com/sites/thomasbrewster/2015/07/27/android-text-attacks/

Still trying to process what one can easily do about this (apart from disabling network access and turning off one's affected Android devices -- may be it's important to be careful about what one does after turning it back on too...).

Some related info:

  http://www.theregister.co.uk/2015/07/27/android_phone_text_flaw/
  https://threatpost.com/android-stagefright-flaws-put-950-million-devices-at-risk/113960
  http://it.slashdot.org/story/15/07/27/1416257/stagefright-flaw-compromise-android-with-just-a-text

mouser:
Yikes, that's crazy.

Jibz:
I've seen some people suggest disabling automatic download of mms messages (an option in Hangouts and other sms apps). The idea is that if no mms is downloaded, the decoder will not run.

The worst part about these kind of errors in the underlying system, is that with the way each manufacturer is running his own version of android, it will take a while for fixes to roll out even though Google fixes it. Some older phones will probably never get an update. Glad I have a Nexus :Thmbsup:.

ewemoa:
The disabling instructions I've encountered include:

1. In messaging apps, disable automatic downloading of mms messages (like what Jibz said)
2. In APN settings, disable some appropriate mms-related settings (didn't manage to become clear enough on exactly what though)
3. For rooted phones, put media.stagefright.enable-player=false in /system/build.prop (likely have to do something like: 'mount -o remount,rw /system' as root first)

The first two suggestions might help to mitigate the issue, but there may be other ways for the code in question in stagefright to get executed, IIUC.

My current understanding is that on some phones the code in question can get executed with system level privileges (e.g. Galaxy S4), but not necessarily on all phones.  So I guess depending on one's phone, how nasty this is may be quite different.


Regarding updates, IIUC, the Cyanogemod 12.x (nightly) series has been patched:

  https://plus.google.com/+CyanogenMod/posts/7iuX21Tz7n8

Personally I'm waiting for:
CM11 will see these updates hit as part of out of band fixes this weekend (these releases occur weekly).

--- End quote ---

TaoPhoenix:

"....multimedia text..."

There was some different iPhone attack by text (that I have to invoke Fermat and say I don't recall what or why), whose solution was some setting where it doesn't parse the text message "live" but just says you have a text, and then you have to enter the full text reading mode to read it. So I did that setting, (not recalling now where it was), but I wonder if anything like that matters here - sparked by the similarity of "....(attack) text message..."

Navigation

[0] Message Index

[#] Next page