Android Stagefright flaws put 950 million devices at risk

Minimalist · Jul 27, 2015

Vulnerabilities discovered in the Stagefright media playback engine that is native to Android devices could be the mobile world’s equivalent to Heartbleed. Almost all Android devices contain the security and implementation issues in question; unpatched devices are at risk to straightforward attacks against specific users that put their privacy, data and safety at risk.
Click to expand...

https://threatpost.com/android-stagefright-flaws-put-950-million-devices-at-risk

Gullible Jones · Jul 27, 2015

Now watch lots of vendors continue to not provide any patches for old phones.

Gullible Jones · Jul 28, 2015

So, my phone is an affected model (no kidding). Posted about this on the vendor's support forum... 12 hours later, no replies. I don't know if they're even updating the newer phones. There are 3-4 other posts about this, and no replies to any of them.

Absolutely shameful. I'd say this is a breach of contract on their end, but of course they're smarter than that; they retain the right to sue, I don't. Jerks.

Anyway, right now my Android phone is lying on my desk with the battery removed. I'm considering transferring the number to a dumb cell phone. Too bad I'd have to keep paying the vendor for service I was not recieving. Yay!

P.S. What's with the Heartbleed analogies? This is more like Shellshock, actually really serious.

subhrobhandari · Jul 28, 2015

How many of the models would get patched? I think the vendors would only issue OTA for flagships, the rest will be left out. I was thinking about shifting into the ship of smartphones, but after this, would buy another dumbphone until Linux/Firefox OS gets matured.

Minimalist · Jul 28, 2015

Yes I find this a big problem also. Most vendors just stop supporting older models and stop releasing newer Android versions. That means that after few years, your smartphone becomes insecure. Vendors should release support lifecycle for their devices so that users would know how long their devices will be safe to use.

new2security · Jul 28, 2015

Would disabling "auto mms download" feature mitigate this?

Gullible Jones · Jul 28, 2015

OTOH, there's an unexpected benefit to this: smart phones are quite distracting to carry around turned on all the time. I'm using a flip phone instead today, and I feel like my IQ has increased by a few points.

artoor · Jul 28, 2015

new2security said: ↑

Would disabling "auto mms download" feature mitigate this?
Click to expand...

I guess so, however, not only by receiving MMS your smartphone can be compromised

new2security · Jul 28, 2015

artoor said: ↑

I guess so, however, not only by receiving MMS your smartphone can be compromised
Click to expand...

Sometimes I regret getting a smartphone. It gives me sore fingers and on top of that security issues.
I miss the good old gsm only phones.

Minimalist · Jul 29, 2015

Trend Micro Discovers Vulnerability That Renders Android Devices Silent

We have discovered a vulnerability in Android that can render a phone apparently dead – silent, unable to make calls, with a lifeless screen. This vulnerability is present from Android 4.3 (Jelly Bean) up to the current version, Android 5.1.1 (Lollipop). Combined, these versions account for more than half of Android devices in use today. No patch has been issued in the Android Open Source Project (AOSP) code by the Android Engineering Team to fix this vulnerability since we reported it in late May.
Click to expand...

http://blog.trendmicro.com/trendlab...rability-that-renders-android-devices-silent/

Dragon1952 · Jul 29, 2015

https://www.twilio.com/blog/2015/07/how-to-protect-your-android-device-from-stagefright-exploit.html

subhrobhandari · Jul 29, 2015

Minimalist said: ↑

Trend Micro Discovers Vulnerability That Renders Android Devices Silent

http://blog.trendmicro.com/trendlab...rability-that-renders-android-devices-silent/
Click to expand...

What’s more, although mobile Chrome disables preload and autoplay of videos, the malformed MKV still causes the Chrome to read more than 16MB until mediaserver crashes. It appears to have bypassed the limitation.
Click to expand...

What about the other browsers?

Minimalist · Jul 29, 2015

subhrobhandari said: ↑

What about the other browsers?
Click to expand...

I don't know, it's not mentioned in that article.

safeguy · Jul 29, 2015

Thanks. Nothing much I can do other than to follow the mitigation suggestion for now.

BoerenkoolMetWorst · Jul 30, 2015

Note that TextSecure doesn't autoplay and gives a warning first:

TextSecure plays audio/video by handing it to the system's default media
player. If there's a stagefright vulnerability, it's possible that the
system's default media player is vulnerable. From TextSecure, that
interaction should only happen by physically tapping on an audio/video
attachment, then tapping through a warning dialog about insecure
playback. At that point, it's out of our hands.
Click to expand...

https://lists.riseup.net/www/arc/whispersystems/2015-07/msg00084.html

Dermot7 · Jul 31, 2015

Earlier this week Zimperium zLabs revealed an Android vulnerability which could be used to install malware on a device via a simple multimedia message. This vulnerability, now known as Stagefright, has gained a lot of attention for the potential attacks it can cause. Stagefright makes it possible, for example, for an attacker to install a spyware app in a targets phone without their knowledge just by sending an MMS.

Versions of Android from 4.0.1 to 5.1.1 are affected; this represents 94.1% of all Android devices in use today.

We independently discovered this vulnerability as well; this blog post will disclose more details about this particular flaw.
Click to expand...

http://blog.trendmicro.com/trendlab...s-not-the-only-attack-vector-for-stagefright/

ronjor · Aug 6, 2015

Posted on 06 August 2015.
Zeljka Zorz

Adrian Ludwig, Google's lead engineer for Android Security, has announced yesterday at Black Hat USA 2015 that Google will be pushing out in the next few days an update that will fix the infamous Stagefright flaw recently discovered by Zimperium researchers, as well as another one, discovered by Trend Micro researchers, which can make Android devices totally unresponsive.
Click to expand...

http://www.net-security.org/secworld.php?id=18726

Minimalist · Aug 6, 2015

Samsung announces new Android security update process, promises over-the-air patches ‘about once per month’

Samsung today announced a new Android security update process that will provide timely protection from security vulnerabilities on its mobile devices. The company plans to fast-track security patches over the air and promises the updates will be released regularly, “about once per month.”
Click to expand...

http://venturebeat.com/2015/08/05/s...es-over-the-air-patches-about-once-per-month/

ronjor · Aug 6, 2015

Android Stagefright: The heart attack that never happened
By Steven Max Patterson Network World | Aug 6, 2015 8:25 AM PT

The extremely exaggerated risk of the Stagefright vulnerability may have precipitated an improvement in the Android security model.
Click to expand...

http://www.networkworld.com/article...vulnerability-black-hat-security-updates.html

Minimalist · Aug 7, 2015

Android's 5 biggest security flaws 2015

You could be forgiven for losing track of Android security flaws. Even in recent weeks, two shockingly big ones have appeared – including a brand new one this week discovered by Check Point - both affecting Android 5.0, supposedly the latest and greatest version of Google’s mobile OS.

In fact, Android has suffered a steady stream of flaws great and small, which wouldn’t matter if it wasn’t for a single unconformable fact – Android is complex to patch. Here we outline the biggest flaws to affect Android in recent times, all publicised since mid-2014.
Click to expand...

http://www.techworld.com/security/androids-5-biggest-security-flaws-2015-3622116/

Dermot7 · Aug 7, 2015

Stagefright detectors seem to be flavor of the month at the moment, not surprising when the vulnerability could affect around 95 percent of Android devices. We reported yesterday on Zimperium's version and now mobile security specialist Lookout has launched its own detector.
Click to expand...

http://betanews.com/2015/08/07/lookout-launches-stagefright-detector/

ronjor · Aug 10, 2015

Waiting for Android’s inevitable security Armageddon

Editorial: Android's update strategy doesn't scale, and that's recipe for disaster.

by Ron Amadeo - Aug 6, 2015 3:00pm CDT
Click to expand...

http://arstechnica.com/gadgets/2015/08/waiting-for-androids-inevitable-security-armageddon/

Minimalist · Aug 10, 2015

IBM finds another Android phone bug

IBM security researchers have found a way to exploit an Android flaw that puts more than 55% of Android phones at risk of being taken over by persistent attackers.

By exploiting a weakness it discovered, IBM's X-Force Application Security Research Team showed it could escalate privileges in a compromised phone and execute code on it, including taking over legitimate applications.
Click to expand...

http://www.techworld.com/news/security/ibm-finds-another-android-phone-bug-3622384/

ronjor · Aug 18, 2015

Android's Stagefright bug will live on for longer than we thought

By Russell Brandom on August 13, 2015 01:00 pm
The patch process for Android's Stagefright vulnerability hasn't gone quite as smoothly as Google hoped. Just eight days after Google, manfacturers and carriers rushed out a fix for Stagefright, researchers at Exodus Intelligence are saying there's a problem with one of the patches, and phones could still be vulnerable under the right circumstances.
Click to expand...

http://www.theverge.com/2015/8/13/9148437/android-stagefright-vulnerability-disclosure-exodus-patch

ronjor · Aug 18, 2015

Another serious vulnerability found in Android's media processing service
By Lucian Constantin Follow
IDG News Service | Aug 18, 2015
Rogue applications could exploit the flaw to gain sensitive permissions
Click to expand...

http://www.infoworld.com/article/29...und-in-androids-media-processing-service.html

Log in or Sign up

Android Stagefright flaws put 950 million devices at risk

Minimalist Registered Member

Gullible Jones Registered Member

Gullible Jones Registered Member

subhrobhandari Registered Member

Minimalist Registered Member

new2security Registered Member

Gullible Jones Registered Member

artoor Registered Member

new2security Registered Member

Minimalist Registered Member

Dragon1952 Registered Member

subhrobhandari Registered Member

Minimalist Registered Member

safeguy Registered Member

BoerenkoolMetWorst Registered Member

Dermot7 Registered Member

ronjor Global Moderator

Minimalist Registered Member

ronjor Global Moderator

Minimalist Registered Member

Dermot7 Registered Member

ronjor Global Moderator

Minimalist Registered Member

ronjor Global Moderator

ronjor Global Moderator

Log in or Sign up

Android Stagefright flaws put 950 million devices at risk

Minimalist Registered Member

Gullible Jones Registered Member

Gullible Jones Registered Member

subhrobhandari Registered Member

Minimalist Registered Member

new2security Registered Member

Gullible Jones Registered Member

artoor Registered Member

new2security Registered Member

Minimalist Registered Member

Dragon1952 Registered Member

subhrobhandari Registered Member

Minimalist Registered Member

safeguy Registered Member

BoerenkoolMetWorst Registered Member

Dermot7 Registered Member

ronjor Global Moderator

Minimalist Registered Member

ronjor Global Moderator

Minimalist Registered Member

Dermot7 Registered Member

ronjor Global Moderator

Minimalist Registered Member

ronjor Global Moderator

ronjor Global Moderator

Useful Searches