950 million Android phones can be hijacked by malicious text messages

950 million Android phones can be hijacked by malicious text messages

Booby-trapped MMS messages and websites exploit flaw in heart of Android.

by  - Jul 27, 2015 9:43am PDT

Almost all Android mobile devices available today are susceptible to hacks that can execute malicious code when they are sent a malformed text message or the user is lured to a malicious website, a security researcher reported Monday.
The vulnerability affects about 950 million Android phones and tablets, according to Joshua Drake, vice president of platform research and exploitation at security firm Zimperium. It resides in "Stagefright," an Android code library that processes several widely used media formats. The most serious exploit scenario is the use of a specially modified text message using the multimedia message (MMS) format. All an attacker needs is the phone number of the vulnerable Android phone. From there, the malicious message will surreptitiously execute malicious code on the vulnerable device with no action required by the end user and no indication that anything is amiss.
In a blog post published Monday, Zimperium researchers wrote:
A fully weaponized successful attack could even delete the message before you see it. You will only see the notification. These vulnerabilities are extremely dangerous because they do not require that the victim take any action to be exploited. Unlike spear-phishing, where the victim needs to open a PDF file or a link sent by the attacker, this vulnerability can be triggered while you sleep. Before you wake up, the attacker will remove any signs of the device being compromised and you will continue your day as usual—with a trojaned phone.

The vulnerability can be exploited using other attack techniques, including luring targets to malicious websites. Drake will outline six or so additional techniques at next month's Black Hat security conference in Las Vegas, where he's scheduled to deliver a talk titled Stagefright: Scary Code in the Heart of Android.
Drake said all versions of Android after and including 2.2 are potentially vulnerable and that it's up to each device manufacturer to patch the bug. So far, very few devices have been patched, leading him to estimate that about 95 percent of devices—or about 950 million of them—are currently susceptible. Even Google's Nexus 5 handsets, which typically receive security fixes long before most other Android handsets—remain vulnerable. Nexus 6 devices, meanwhile, were patched only recently against some but not all Stagefright attacks. Vulnerable devices running Android versions prior to 4.3 (Jelly Bean) are at the greatest risk, since earlier Android versions lack some of the more recent exploit mitigations. Fixes require an over-the-air update.

Enter Firefox

Interestingly, the Stagefright vulnerability also affects Firefox on all platforms except Linux, and that includes the Firefox OS. Firefox developers have patched the vulnerability in versions 38 and up.
"If you install Firefox 38, you can no longer get exploited directly via Firefox," Drake told Ars. "However, if I make your Firefox download the malicious video instead of trying to play it with a
SilentCircle, maker of the Blackphone Android handset, has also patched the vulnerability in its PrivatOS with the release of version 1.1.7.

"Defective" phones from AT&T, Verizon, Sprint, T-Mobile pose risks, ACLU says.

Android is designed with a security sandbox that prevents most apps from being able to access data used by other apps. That goes a long way to containing the damage Stagefright and similar code-execution exploits can do. In theory, for instance, it should prevent Stagefright exploits from sniffing login credentials used by a properly designed banking app. Still, Drake warned that successful exploits at the very least provide direct access to a phone's audio and camera feeds and to the external storage. Worse still, many older phones grant elevated system privileges to Stagefright code, a design that could allow attackers access to many more device resources.

"The attacker would have remote arbitrary code execution and thus escaping the sandbox is only a small step away," Drake said. He said existing root exploits, including those known PingPongRoot, Towelroot, and put_user, would likely help an attacker break free of the sandbox and gain much wider control over a vulnerable device.
For now, there's not much end users can do to protect themselves other than to install a patch as soon as one becomes available for their specific Android device. People can also prevent MMS messages from automatically loading in Google Hangouts or other text apps. That will prevent malicious code from being automatically loaded but won't protect against other attack vectors. There's no indication that the bug is being actively exploited in the wild. Google has thanked Drake for privately reporting the vulnerability and has since made a patch available to partners. But as we all know, it can take years for security fixes to reach some models, and many devices never receive them.


http://arstechnica.com/security/2015/07/950-million-android-phones-can-be-hijacked-by-malicious-text-messages/

Comments

Post a Comment

Popular posts from this blog

BMW traps alleged thief by remotely locking him in car

BMW traps alleged thief by remotely locking him in car Stealer's Wheel? Seattle police department quotes "Watchmen" movie in a recap of the recent arrest. Tech Culture by Gael Fashingbauer Cooper December 4, 2016 5:00 PM PST It's maybe the most satisfying arrest we can imagine. Seattle police caught an alleged car thief by enlisting the help of car maker BMW to both track and then remotely lock the luckless criminal in the very car he was trying to steal. Jonah Spangenthal-Lee, deputy director of communications for the Seattle Police Department, posted a witty summary of the event on the SPD's blog on Wednesday. Turns out if you're inside a stolen car, it's perhaps not the best time to take a nap. "A car thief awoke from a sound slumber Sunday morning (Nov. 27) to find he had been remotely locked inside a stolen BMW, just as Seattle police officers were bearing down on him," Spangenthal-Lee wrote. The suspect found a ke...
Read more

Report: World’s 1st remote brain surgery via 5G network performed in China

World’s 1st remote brain surgery via 5G network performed in China Published time: 17 Mar, 2019 13:12 ·           A Chinese surgeon has performed the world’s first remote brain surgery using 5G technology, with the patient 3,000km away from the operating doctor. Dr. Ling Zhipei remotely implanted a neurostimulator into his patient’s brain on Saturday, Chinese state-run media  reports . The surgeon manipulated the instruments in the Beijing-based PLAGH hospital from a clinic subsidiary on the southern Hainan island, located 3,000km away. The surgery is said to have lasted three hours and ended successfully. The patient, suffering from Parkinson’s disease, is said to be feeling well after the pioneering operation. The doctor used a computer connected to the next-generation 5G network developed by Chinese tech giant Huawei. The new device enabled a near real-time connection, according to Dr. Ling.  “You barely feel that th...
Read more

New ATM's: withdraw money with veins in your finger

New cash machines: withdraw money with veins in your finger Cash machine technology that reads the pattern of finger veins is already available in Japan and Poland   By Telegraph Reporters 6:59PM BST 15 May 2014 Cash machines could soon be installed with devices that identify customers by reading the veins in their fingers. The technology is already being rolled out in Poland, where 1,730 cash machines will this year be installed with readers, negating the need for a debit card and Pin. Developed by Hitachi, the Japanese electronics firm, the machines read the patterns of the veins just below the surface of the skin on your finger using infra-red sensors. The light is partially absorbed by haemoglobin in the veins to capture a unique finger vein pattern profile, which is matched to a profile. The technology is used by Japanese banks and also in Turkey, offering “groundbreaking levels of accuracy and speed of authentication”, Hitachi said, which in t...
Read more