A new Android vulnerability has the security world worried – and it leaves your Android phone extremely vulnerable. The issue comes in the form of six bugs in an innocuous Android module called StageFright, which is used for media playback.
The StageFright bugs allow a malicious MMS, sent by a hacker, to execute malicious code inside the StageFright module. From there, the code has a number of options for gaining control of the device. As of right now, something like 950 million devices are vulnerable to this exploit.
It is, simply put, the worst Android vulnerability in history.
Android users are already growing upset about the breach, and for good reason. A quick scan of Twitter shows many irate users popping up as the news permeates the web.
— Thomas Fox-Brewster (@iblametom) July 27, 2015
Part of what makes this attack so scary is that there’s little users can do to protect themselves against it. Likely, they wouldn’t even know that the attack has occurred.
Normally, to attack an Android device, you need to get the user to install a malicious app. This attack is different: the attacker would simply need to know your phone number, and send a malicious multimedia message.
Depending on which messaging app you use, you might not even know that the message arrived. For example: if your MMS messages go through Andoid’s Google Hangouts, the malicious message would be able to take control and hide itself before the system even alerted the user that it had arrived. In other cases, the exploit might not kick in until the message is actually viewed, but most users would simply write it off as harmless spam text or a wrong number.
Once inside the system, code running within StageFright automatically has access to the camera and microphone, as well as bluetooth peripherals, and any data stored on the SD card. That’s bad enough, but (unfortunately) it’s just the start.
While Android Lollipop implements a number of security improvements, most Android devices are still running older versions of the OS, and are vulnerable to something called a “privilege escalation attack.” Normally, Android apps are “sandboxed“, allowing them to access only those aspects of the OS that they’ve been granted explicit permission to use. Privilege escalation attacks allow malicious code to “trick” the Android operating system into giving it more and more access to the device.
Once the malicious MMS has taken control of StageFright, it could use these attacks to take total control over older, insecure Android devices. This is a nightmare scenario for device security. The only devices totally immune to this issue are those running operating systems older than Android 2.2 (Froyo), which is the version that introduced StageFright in the first place.
The StageFright vulnerability was originally uncovered in April by Zimperium zLabs, a group of security researchers. The researchers reported the issue to Google. Google quickly released a patch to manufacturers – however, very few device makers have actually pushed the patch to their devices. The researcher who discovered the bug, Joshua Drake, believes that about 950 million of the estimated one billion android devices in circulation are vulnerable to some form of the attack.
— Joshua J. Drake (@jduck) May 20, 2015
Google’s own devices like the Nexus 6 have been partially patched according to Drake, although some vulnerabilities remain. In an email to FORBES on the subject, Google reassured users that,
“Most Android devices, including all newer devices, have multiple technologies that are designed to make exploitation more difficult. Android devices also include an application sandbox designed to protect user data and other applications on the device,”
However, this isn’t much comfort. Until Android Jellybean, the sandboxing in Android has been relatively weak, and there are several known exploits that can be used to get around it. It’s really crucial that manufacturers roll out a proper patch for this issue.
What Can You Do?
Unfortunately, hardware makers can be extremely slow to roll out these sorts of critical security patches. It’s certainly worth contacting your device manufacturer’s customer support department and asking for an estimate on when patches will be available. Public pressure will probably help speed things along.
For Drake’s part, he plans to reveal the full extent of his findings at DEFCON, an international security conference that takes place in early August. Hopefully, the added publicity will spur device manufacturers to release updates quickly, now that the attack is common knowledge.
On a broader note, this is a good example of why Android fragmentation is such a security nightmare.
— Mike (@mipesom) July 27, 2015
On a locked-down ecosystem like iOS, a patch for this could be rushed out in hours. On Android, it may take months or years to get every device up to speed due to the enormous level of fragmentation. I’m interested to see what solutions Google comes up in the coming years to start to bring these security-vital updates out of device-makers’ hands.
Are you an Android user affected by this issue? Concerned about your privacy? Let us know your thoughts in the comments!
Image credit: Backlit Keyboard by Wikimedia