Android OS suffers from a massive security hole, and nobody cares enough to fix it.
57 replies, posted
[QUOTE]Here's how the attack would work: The bad guy creates a short video, hides the malware inside it and texts it to your number. As soon as it's received by the phone, Drake says, "it does its initial processing, which triggers the vulnerability."
The messaging app Hangouts instantly processes videos, to keep them ready in the phone's gallery. That way the user doesn't have to waste time looking. But, Drake says, this setup invites the malware right in.[/QUOTE]
[QUOTE]Often, Mulliner says, manufacturers don't have a financial incentive to fix phones already sold.
"If you can save money by not producing updates, you're not going to do that," he says. "Since the market is moving that fast, it sometimes doesn't make sense for the manufacturer to provide an update."[/QUOTE]
[QUOTE]"Basically, within 48 hours I had an email telling me that they had accepted all of the patches I sent them, which was great," he says. "You know, that's a very good feeling."
But it goes away very quickly, he says, when you look at how long it'll take his Nexus, my Samsung Galaxy and your LG or ZTE to get those patches. Drake says that [I][B]as few as 20 percent will get fixed, though the figure may be higher than that, "potentially up to the optimistic number of 50 percent.[/B][/I]"[/QUOTE]
Source: [URL="http://www.npr.org/sections/alltechconsidered/2015/07/27/426613020/major-flaw-in-android-phones-would-let-hackers-in-with-just-a-text"]NPR[/URL]
Every new vulnerability is the world's worst and BIGGEST vulnerability to headlines.
[QUOTE=Take_Opal;48306954]Every new vulnerability is the world's worst and BIGGEST vulnerability to headlines.[/QUOTE]
This kind of attack is done with a standard MMS message and grants enough control to completely take over a phone, delete all traces of the MMS and exploit, and then continually phone home, and it's in every major Android version up until 5.1.1
It's pretty serious. This could easily be worse than the old ILOVEYOU virus. Hell, these phones can self spread this infection by texting it to everyone in their contacts list after infection.
Now, find me a carrier or OEM willing to update a phone still on 4.4 right this moment, let alone one still on 2.2
[QUOTE=1/4 Life;48307109]This kind of attack is done with a standard MMS message and grants enough control to completely take over a phone, delete all traces of the MMS and exploit, and then continually phone home, and it's in every major Android version up until 5.1.1
It's pretty serious. This could easily be worse than the old ILOVEYOU virus. Hell, these phones can self spread this infection by texting it to everyone in their contacts list after infection.
Now, find me a carrier or OEM willing to update a phone still on 4.4, let alone 2.2[/QUOTE]
yeah but its in the hangouts app and nobody fucking uses that
[QUOTE=Take_Opal;48306954]Every new vulnerability is the world's worst and BIGGEST vulnerability to headlines.[/QUOTE]
It's a massive exploit because as the article tells most of (of certain manufacturers) the phones don't get any security updates at all.
[QUOTE=MasterFen006;48307120]yeah but its in the hangouts app and nobody fucking uses that[/QUOTE]
You didn't read the article.
The failure is in Stagefright, the media handler for the Android OS. Hangouts is an example. Every single app that accepts MMS messages is capable of this.
Hangouts
Google Messenger
AOSP Messages
Textra
TextSecure
Handcent
Older versions of Facebook Messenger
Etc, etc.
[QUOTE=1/4 Life;48307137]You didn't read the article.
The failure is in Stagefright, the media handler for the Android OS. Hangouts is an example. Every single app that accepts MMS messages is capable of this.
Hangouts
Google Messenger
AOSP Messages
Textra
TextSecure
Handcent
Older versions of Facebook Messenger
Etc, etc.[/QUOTE]
i dont even know who uses MMS so it doesnt really matter to me
plus any phone that matters in the last 2 years gets updates anyway so this'll be fixed soon
[QUOTE=1/4 Life;48307137]You didn't read the article.
The failure is in Stagefright, the media handler for the Android OS. Hangouts is an example. Every single app that accepts MMS messages is capable of this.[/QUOTE]
Every single app that uses Stagefright is an attack vector.
Not just MMS.
This is why you [I]buy a Nexus[/I]
[QUOTE=DrTaxi;48307155]Every single app that uses Stagefright is an attack vector.
Not just MMS.[/QUOTE]
Yep, MMS is just the best attack vector.
[editline]27th July 2015[/editline]
[QUOTE=wickedplayer494;48307161]This is why you [I]buy a Nexus[/I][/QUOTE]
All current Nexus phones are at risk at this very moment.
[QUOTE=MasterFen006;48307120]yeah but its in the hangouts app and nobody fucking uses that[/QUOTE]
[QUOTE=MasterFen006;48307153]i dont even know who uses MMS so it doesnt really matter to me[/QUOTE]
lol, i've never seen someone so adamant that a security bug that affects nearly 1 billion phones doesn't matter
[QUOTE=MasterFen006;48307153]i dont even know who uses MMS so it doesnt really matter to me
plus any phone that matters in the last 2 years gets updates anyway so this'll be fixed soon[/QUOTE]
I can name more than ten people I know personally that haven't updated their phone in 2 years or bought one that came with gingerbread that do banking and other important activities on their phones who are now fucked. The world has people outside your viewpoint in it.
[QUOTE=1/4 Life;48307162]All current Nexus phones are at risk at this very moment.[/QUOTE]
Yes but they'll be part of the 20% patched because they're first in line from Google as it's the closest to AOSP you'll get, followed by all phones flashed on CyanogenMod and/or 1+'s OxygenOS, followed by whoever decides to bother.
[editline].[/editline]
And I would say that it isn't that far fetched that if someone's flashed CyanoMod, they're probably aware of this hole already.
[QUOTE=MasterFen006;48307153]i dont even know who uses MMS so it doesnt really matter to me[/QUOTE]
You don't need to actively use MMS. You only need to be able to receive them. And every Android phone connected to a cellular network is able to receive MMS.
AFAIK it depends on the messaging app you use whether you need to just receive a message, or read the notification, or actively open the app and read the message.
[QUOTE=wickedplayer494;48307183]Yes but they'll be part of the 20% patched because they're first in line from Google as it's the closest to AOSP you'll get, followed by all phones flashed on CyanogenMod and/or 1+'s OxygenOS, followed by whoever decides to bother.[/QUOTE]
Actually, Silent Circle released a patch for their Blackphone weeks ago already.
[QUOTE=MasterFen006;48307153]i dont even know who uses MMS so it doesnt really matter to me[/QUOTE]
It [I]very much[/I] matters to you, you get infected the moment you receive an MMS on your phone. And just about anybody on the world can send one to you.
The fact that the operating system receiving updates depends entirely on the OEM is frankly fucking ridiculous.
I understand that every phone has different specifications and everything is specially designed but god damn, you'd think they'd at least make it easier to patch critical security flaws on phones whose manufacturers just can't be bothered to make an update package for.
[QUOTE=MasterFen006;48307153]i dont even know who uses MMS so it doesnt really matter to me
plus any phone that matters in the last 2 years gets updates anyway so this'll be fixed soon[/QUOTE]
If you ever receive a photo or video through your stock messaging app (or Hangouts, etc), then you use MMS.
If you use an OTT app then you wont
[QUOTE=cartman300;48307206]It [I]very much[/I] matters to you, you get infected the moment you receive an MMS on your phone. And just about anybody on the world can send one to you.[/QUOTE]
Anybody who knows the details of the vulnerability.
As of now, that's not a lot of people.
As of a week from now, that's everyone who has any idea about computer security.
[QUOTE=MasterFen006;48307153]i dont even know who uses MMS so it doesnt really matter to me
plus any phone that matters in the last 2 years gets updates anyway so this'll be fixed soon[/QUOTE]
Most phones actually have enabled MMS and just receiving an MMS will be able to carry out that attack.
Not to mention this is the media handler - an MMS is just the most simple way it can be triggered.
Will disabling notifications for Hangouts work to stop that method of infection?
I did that and disable auto-retrieve MMS.
[QUOTE=Durrsly;48307496]Will disabling notifications for Hangouts work to stop that method of infection?
I did that and disable auto-retrieve MMS.[/QUOTE]
No, only disabling MMS auto-retrieve will help you, and even then there are plenty of other apps and activities outside of MMS that use Stagefright.
[QUOTE=Sgt. Lulz;48307208]The fact that the operating system receiving updates depends entirely on the OEM is frankly fucking ridiculous.
I understand that every phone has different specifications and everything is specially designed but god damn, you'd think they'd at least make it easier to patch critical security flaws on phones whose manufacturers just can't be bothered to make an update package for.[/QUOTE]
Now if only Android would be an actually open to the core platform, this would never be an issue. At least, not for people with a phone newer than 4-5 years, because anything in that range would probably be properly maintained.
But no, we don't have those options, so we're left with the bull that the current industry has en mass distributed to the increasing number of Android customers.
[QUOTE=1/4 Life;48307520]No, only disabling MMS auto-retrieve will help you, and even then there are plenty of other apps and activities outside of MMS that use Stagefright.[/QUOTE]
Then I hope LG releases an update for my phone.
I doubt that will happen though.
[QUOTE=1/4 Life;48307520]No, only disabling MMS auto-retrieve will help you, and even then there are plenty of other apps and activities outside of MMS that use Stagefright.[/QUOTE]
Atleast then you'd be able to filter out incoming MMS messages with whatever AV installed on the phone yes?
Can't they just push an update to the handler over Google Play? It would mean a user could uninstall it but it should be possible, shouldn't it?
[QUOTE=Durrsly;48307690]Then I hope LG releases an update for my phone.
I doubt that will happen though.[/QUOTE]
This [I]might[/I] be the thing that gets manufacturers to change their update policy.
Or nothing ever will.
[QUOTE=MasterFen006;48307153]i dont even know who uses MMS so it doesnt really matter to me
plus any phone that matters in the last 2 years gets updates anyway so this'll be fixed soon[/QUOTE]
Im on a phone that "doesnt matter"
Im screwed
Sorry, you need to Log In to post a reply to this thread.