Topic: WARNING: "Stagefright" bug - Required reading for the owners of Android phones!

[Samker]

Earlier this week, security researchers unveiled a vulnerability that is believed to be the worst Android vulnerability yet discovered. The “Stagefright” bug exposes nearly 1 billion Android devices to malware: https://en.wikipedia.org/wiki/Stagefright_(bug)
The vulnerability was found in “Stagefright”, an Android media library. Hackers can gain access to a device by exploiting the vulnerability and can then access contacts and other data, including photos and videos, and can access the device’s microphone and camera, and thus spy on you by recording sound and taking photos.

All devices running Android versions Froyo 2.2 to Lollipop 5.1.1 are affected, which are used by approximately 95% of all Android devices.

The scary part is that hackers only need your phone number to infect you. The malware is delivered via a multimedia message sent to any messenger app that can process MPEG4 video format – like an Android device’s native messaging app, Google Hangouts and WhatsApp. As these Android messaging apps auto-retrieve videos or audio content, the malicious code is executed without the user even doing anything – the vulnerability does not require the victim to open the message or to click on a link. This is unique, as mobile malware usually requires some action to be taken to infect the device. The malware could also be spread via link, which could be sent via email or shared on social networks, for example. This would, however, require user interaction, as the video would not load without the user opening  a link. This exploit is extremely dangerous, because if abused via MMS, victims are not required to take any action and there are neither apparent nor visible effects. The attacker can execute the code and remove any signs that the device has been compromised, before victims are even aware that their device has been compromised.


A cybercriminal’s and dictator’s dream

Cybercriminals can take advantage of the vulnerability to collectively spy on millions of people – and even execute further malicious code. Repressive governments could abuse the bug to spy on their own people and enemies. The vulnerability, however, could also be used for non-political spying. Hackers can easily spy on people they know, like their spouse or neighbour – all they need to know is their victim’s phone number. Hackers can also steal personal information and use it to blackmail millions of people, or use the data for identity theft. The possible consequences of this vulnerability need to be taken seriously.


Fixes are urgently needed

Now comprehensive fixes need to be provided by the phone’s manufacturers in an over-the-air (OTA) firmware update for Android versions 2.2 and up. Unfortunately, updates for Android devices have historically taken a long time to reach users. Hopefully, manufacturers will respond quicker in this case. On a positive note, Google has already responded. HTC told Time “Google informed HTC of the issue and provided the necessary patches, which HTC began rolling into projects in early July:  http://time.com/3973711/stagefright-android-text-hack/
All projects going forward contain the required fix.”


In the meantime, what can you do to protect yourself?

We recommend users disable “auto retrieve MMS” within their default messaging app’s settings, as a precautionary measure for the moment. We have put together step-by-step instructions on how you can disable auto retrieve for MMS in various Android messaging apps (detailed instructions): https://blog.avast.com/2015/07/29/big-brothers-could-be-watching-you-thanks-to-stagefright/

(Avast)

[Samker]

"Biggest security update in history coming up: Google patches Android hijack bug Stagefright"

Black Hat 2015: https://www.blackhat.com - For those of you worried about the Stagefright flaw in Android, be reassured, a patch will be coming down the line in the next few days.

"My guess is that this is the single largest software update the world has ever seen," said Adrian Ludwig, lead engineer for Android security at Google. "Hundreds of millions of devices are going to be updated in the next few days. It's incredible."

All Nexus devices are going to be patched, and Samsung, Motorola, HTC, LG, Sony, Android One, and hundreds of other manufacturers are going to push out the patches too, he said. Some handset vendors, like Silent Circle, have already patched their operating systems.

"With the recent security issues, we have been rethinking the approach to getting security updates to our devices in a more timely manner," said Dong Jin Koh, EVP of Samsung Electronics, Mobile R&D Office.

"Since software is constantly exploited in new ways, developing a fast response process to deliver security patches to our devices is critical to keep them protected. We believe that this new process will vastly improve the security of our devices and will aim to provide the best mobile experience possible for our users."

In addition, Google, Samsung, and LG have made a commitment to send out monthly security patches to users that will fix any upcoming issues in the operating system. These updates have been sent out to manufacturers for years, but now end users will get them too, and they will continue for at least three years after the launch of any new handset.

"We've looked at the events of the last few weeks and realized we need to move faster, and that we need to tell people what we are doing," Ludwig said.

The Stagefright flaw was a serious issue, with 95 per cent of devices potentially vulnerable, he said, but there were mitigating factors. Android Jellybean 4.1 or later devices had address space layout randomization (ASLR) to block memory exploits, he said, and this bought enough time to sort out the issue.

As for the other Android bug from last week – Trend Micro's discovery of an integer overflow bug in Android's media server service – that too will be fixed by the end of the week: http://blog.trendmicro.com/trendlabs-security-intelligence/trend-micro-discovers-vulnerability-that-renders-android-devices-silent/
The flaw allowed phones to be crashed and silenced due to errors in video handling, and a fix is in place despite Google initially dismissing the issue as low priority.

"Google's messenger app gets updated by end of week so it won't build dynamic media thumbnails," Ludwig promised. "Sorry, but thumbnails are going to be very boring for the next week."

It's not just about the updates: Google is investing considerably in hardening up the Android ecosystem and blocking applications that could be considered malware, Ludwig promised.

In June, Google announced Security Rewards for Android, a bug bounty scheme specifically for the mobile operating system. The rewards include smaller payouts for simple bug finding, similar to the bounty system for Chrome, but for full exploit chains showing a bug, exploitable proof of concept, and resulting in gaining access to the TrustZone in Android, the payout could net up to $38,000 for researchers.

Developers are also going to be getting warnings if their code is found to break the rules, either inadvertently or by design. So far Google has warned developers about more than 60,000 applications, but Ludwig said he wanted that cut to zero in the long run.

(ElReg)