Most Android phones can be hacked with a simple MMS message or multimedia file

IvanIV · 28-07-2015, 11:21

More security fun from Android: Most Android phones can be hacked with a simple MMS message or multimedia file

Or as they commented at CodeProject, Watch this video (on your phone) to find out how!

Apparently Android pushes a processing of any multimedia file (and that means even just extracting a thumbnail for OS to display it) through a component called Stagefright (if that is not ominous name) and that's when an attack happens. You have to know the phone number to exploit the vulnerability, but since you sent the MMS there in the first place... Google has a patch, the state of its distribution is another story.

petef · 30-07-2015, 12:25

https://blog.avast.com/2015/07/29/bi...o-stagefright/

Earlier this week, security researchers unveiled a vulnerability that is believed to be the worst Android vulnerability yet discovered. The “Stagefright” bug exposes nearly 1 billion Android devices to malware. The vulnerability was found in “Stagefright”, an Android media library. Hackers can gain access to a device by exploiting the vulnerability and can then access contacts and other data, including photos and videos, and can access the device’s microphone and camera, and thus spy on you by recording sound and taking photos.

All devices running Android versions Froyo 2.2 to Lollipop 5.1.1 are affected, which are used by approximately 95% of all Android devices.

The scary part is that hackers only need your phone number to infect you. The malware is delivered via a multimedia message sent to any messenger app that can process MPEG4 video format – like an Android device’s native messaging app, Google Hangouts and WhatsApp. As these Android messaging apps auto-retrieve videos or audio content, the malicious code is executed without the user even doing anything – the vulnerability does not require the victim to open the message or to click on a link.

The Avast blog has detailed instructions for disabling auto retrieval of MMS in various apps.

--
Pete Forman
http://petef.22web.org/payg.html

Zebb · 08-08-2015, 16:45

Quote from GSMArena; "Motorola is also already working on a fix and has recently released a full list of devices that it will be rolling out the required patch to as soon as possible. If you own one of these be sure to check for an OTA in the coming days and definitely install it for some extra piece of mind".

Doesn't seem quick but at least they've tried to do something.

IvanIV · 08-08-2015, 18:00

It's because of the way Android is used. If Google had said at the beginning that OEMs would programme drivers, their own apps and skins, they could have pushed updates to any phone they wanted. That's how Microsoft manages to push updates for most of 1 billion Windows installations monthly.

Now Google tries to make everything a module downloadable from Google Play effectively maneuvering OEMs into the position I mentioned at the beginning. Only it takes more effort and it's only for selected newer OS versions. I think a responsible thing would be to bite the bullet and introduce one source of code and centralised updates. There would still be enough freedom for OEMs to imprint their individuality on the phones and they could be updated as soon as Google implemented the fix and it was tested and okayed by OEMs.

Denco1 · 08-08-2015, 19:12

Seems another exploit has been discovered, certifi-gate.
These monthly security updates will be good news if the manufacturers can manage it.

lightspeed2398 · 08-08-2015, 20:04

Following from IvanIV for ways to improve I'd say something like two rings of updates - one Google does, more behind the scenes stuff OEMs have no control if they want Google Play Services access. Google would be responsible for testing on wide range of hardware and implementing the drivers it requires and stuff (presume this is possible?). The other which is the OEM on the surface update. To me this would be a step to resolving fragmentation. Google needs to gamble though if OEMs would abandon Google Play Services if they imposed stricter rules.

jchamier · 08-08-2015, 21:21

Quote:

Originally Posted by lightspeed2398

Google needs to gamble though if OEMs would abandon Google Play Services if they imposed stricter rules.

The Amazon Fire Phone shows what happens if you try and sell a phone in the west without Google Play Services (ie, google mapping etc). However in China there are lots of successful android handsets without Google services.

tealady · 10-08-2015, 22:10

Just had an update on the N4, which I guess was in response to this. Now on 5.1.1

IvanIV · 17-08-2015, 11:28

It drags on like a soap.

Android, you have serious security problems

"Last week, Google issued a patch for the Stagefright vulnerability -- the nasty one, where the device can be compromised by sending it an MMS message. It affects every Android version since 2.2, an estimated 950 million devices in use worldwide.

But the patch doesn't work."

And that's not all. Sandboxes are not what they used to be either

""A malicious application on the same device as the Google Admin application is able to read data out of any file within the Google Admin sandbox, bypassing the Android Sandbox," says MWR Labs' advisory."

With these two you can deliver the malware to a phone and actually do some harm.

heidtheba · 17-08-2015, 23:27

? I thought all phones/tablets/laptops whatever are vulnerable this way.

And quotes from pieces of poo like Avast , will result in me losing no sleep, doing zip and forgetting about it.

finbaar · 18-08-2015, 12:27

Quote:

Originally Posted by IvanIV

It drags on like a soap.

Android, you have serious security problems

"Last week, Google issued a patch for the Stagefright vulnerability -- the nasty one, where the device can be compromised by sending it an MMS message. It affects every Android version since 2.2, an estimated 950 million devices in use worldwide.

But the patch doesn't work."

And that's not all. Sandboxes are not what they used to be either

""A malicious application on the same device as the Google Admin application is able to read data out of any file within the Google Admin sandbox, bypassing the Android Sandbox," says MWR Labs' advisory."

With these two you can deliver the malware to a phone and actually do some harm.

In fact because of the multiple layers of security the VAST majority of phones are not vulnerable.

28-07-2015, 11:21	#1
IvanIV Forum Member Join Date: May 2006 Posts: 25,199	Most Android phones can be hacked with a simple MMS message or multimedia file More security fun from Android: Most Android phones can be hacked with a simple MMS message or multimedia file Or as they commented at CodeProject, Watch this video (on your phone) to find out how! Apparently Android pushes a processing of any multimedia file (and that means even just extracting a thumbnail for OS to display it) through a component called Stagefright (if that is not ominous name) and that's when an attack happens. You have to know the phone number to exploit the vulnerability, but since you sent the MMS there in the first place... Google has a patch, the state of its distribution is another story.

30-07-2015, 12:25	#2
petef Forum Member Join Date: Jun 2007 Posts: 120	https://blog.avast.com/2015/07/29/bi...o-stagefright/ Earlier this week, security researchers unveiled a vulnerability that is believed to be the worst Android vulnerability yet discovered. The “Stagefright” bug exposes nearly 1 billion Android devices to malware. The vulnerability was found in “Stagefright”, an Android media library. Hackers can gain access to a device by exploiting the vulnerability and can then access contacts and other data, including photos and videos, and can access the device’s microphone and camera, and thus spy on you by recording sound and taking photos. All devices running Android versions Froyo 2.2 to Lollipop 5.1.1 are affected, which are used by approximately 95% of all Android devices. The scary part is that hackers only need your phone number to infect you. The malware is delivered via a multimedia message sent to any messenger app that can process MPEG4 video format – like an Android device’s native messaging app, Google Hangouts and WhatsApp. As these Android messaging apps auto-retrieve videos or audio content, the malicious code is executed without the user even doing anything – the vulnerability does not require the victim to open the message or to click on a link. The Avast blog has detailed instructions for disabling auto retrieval of MMS in various apps. -- Pete Forman http://petef.22web.org/payg.html

08-08-2015, 16:45	#3
Zebb Forum Member Join Date: Apr 2014 Posts: 652	Quote from GSMArena; "Motorola is also already working on a fix and has recently released a full list of devices that it will be rolling out the required patch to as soon as possible. If you own one of these be sure to check for an OTA in the coming days and definitely install it for some extra piece of mind". Doesn't seem quick but at least they've tried to do something.

08-08-2015, 18:00	#4
IvanIV Forum Member Join Date: May 2006 Posts: 25,199	It's because of the way Android is used. If Google had said at the beginning that OEMs would programme drivers, their own apps and skins, they could have pushed updates to any phone they wanted. That's how Microsoft manages to push updates for most of 1 billion Windows installations monthly. Now Google tries to make everything a module downloadable from Google Play effectively maneuvering OEMs into the position I mentioned at the beginning. Only it takes more effort and it's only for selected newer OS versions. I think a responsible thing would be to bite the bullet and introduce one source of code and centralised updates. There would still be enough freedom for OEMs to imprint their individuality on the phones and they could be updated as soon as Google implemented the fix and it was tested and okayed by OEMs.

08-08-2015, 19:12	#5
Denco1 Forum Member Join Date: Mar 2015 Posts: 983	Seems another exploit has been discovered, certifi-gate. These monthly security updates will be good news if the manufacturers can manage it.

08-08-2015, 20:04	#6
lightspeed2398 Forum Member Join Date: Feb 2015 Posts: 1,325	Following from IvanIV for ways to improve I'd say something like two rings of updates - one Google does, more behind the scenes stuff OEMs have no control if they want Google Play Services access. Google would be responsible for testing on wide range of hardware and implementing the drivers it requires and stuff (presume this is possible?). The other which is the OEM on the surface update. To me this would be a step to resolving fragmentation. Google needs to gamble though if OEMs would abandon Google Play Services if they imposed stricter rules.

08-08-2015, 21:21	#7
jchamier Forum Member Join Date: Mar 2000 Location: This forum Posts: 3,392	Quote: Originally Posted by lightspeed2398 Google needs to gamble though if OEMs would abandon Google Play Services if they imposed stricter rules. The Amazon Fire Phone shows what happens if you try and sell a phone in the west without Google Play Services (ie, google mapping etc). However in China there are lots of successful android handsets without Google services.

10-08-2015, 22:10	#8
tealady Forum Member Join Date: Apr 2005 Location: colchester Posts: 15,352	Just had an update on the N4, which I guess was in response to this. Now on 5.1.1

17-08-2015, 11:28	#9
IvanIV Forum Member Join Date: May 2006 Posts: 25,199	It drags on like a soap. Android, you have serious security problems "Last week, Google issued a patch for the Stagefright vulnerability -- the nasty one, where the device can be compromised by sending it an MMS message. It affects every Android version since 2.2, an estimated 950 million devices in use worldwide. But the patch doesn't work." And that's not all. Sandboxes are not what they used to be either ""A malicious application on the same device as the Google Admin application is able to read data out of any file within the Google Admin sandbox, bypassing the Android Sandbox," says MWR Labs' advisory." With these two you can deliver the malware to a phone and actually do some harm.

17-08-2015, 23:27	#10
heidtheba Forum Member Join Date: Apr 2005 Location: Isle of lewis Posts: 359	? I thought all phones/tablets/laptops whatever are vulnerable this way. And quotes from pieces of poo like Avast , will result in me losing no sleep, doing zip and forgetting about it.

18-08-2015, 12:27	#11
finbaar Forum Member Join Date: Nov 2009 Posts: 3,921	Quote: Originally Posted by IvanIV It drags on like a soap. Android, you have serious security problems "Last week, Google issued a patch for the Stagefright vulnerability -- the nasty one, where the device can be compromised by sending it an MMS message. It affects every Android version since 2.2, an estimated 950 million devices in use worldwide. But the patch doesn't work." And that's not all. Sandboxes are not what they used to be either ""A malicious application on the same device as the Google Admin application is able to read data out of any file within the Google Admin sandbox, bypassing the Android Sandbox," says MWR Labs' advisory." With these two you can deliver the malware to a phone and actually do some harm. In fact because of the multiple layers of security the VAST majority of phones are not vulnerable.

DS Forums

Most Android phones can be hacked with a simple MMS message or multimedia file