DS Forums

 
 

Android user test, still vulnerable to Stagefight?


Reply
Thread Tools Search this Thread
Old 31-08-2015, 15:12
Thine Wonk
Forum Member
 
Join Date: Mar 2009
Posts: 14,545

I thought of this idea when the topic came up in another thread. Tell if if your Android device is still vulnerable to Stagefright.

There a few apps to choose from, but this one is very reputable, you don't have to use that one, choose your own from the store. Please check for over the air updates before posting to see if a fix is available.

https://play.google.com/store/apps/d...detector&hl=en

Tell us:-

Make / Model of device :
Are you vulnerable according to the app?
Have you disabled auto receive MMS as a precaution?


Bear in mind that this discovery was in July, affecting 95% of Android devices (1Billion) and that all you need to do is send a malicious MMS message, how many are now still vulnerable?
Thine Wonk is offline   Reply With Quote
Please sign in or register to remove this advertisement.
Old 31-08-2015, 15:15
Thine Wonk
Forum Member
 
Join Date: Mar 2009
Posts: 14,545
I'll start..

Make / Model of device : LG G3
Are you vulnerable according to the app? Yes
Have you disabled auto receive MMS as a precaution? Yes

http://oi61.tinypic.com/29mq7ow.jpg
Thine Wonk is offline   Reply With Quote
Old 31-08-2015, 17:43
jchamier
Forum Member
 
Join Date: Mar 2000
Location: This forum
Posts: 3,389
Using the same Zimperium Detector app.

Make / Model of device: Moto G 4G/LTE (1st edition) - Android 5.1 - up to date
Are you vulnerable according to the app? Yes
Have you disabled auto receive MMS as a precaution? Yes

http://oi62.tinypic.com/21msxv7.jpg
jchamier is offline   Reply With Quote
Old 31-08-2015, 21:02
Thine Wonk
Forum Member
 
Join Date: Mar 2009
Posts: 14,545
Would be good to see some more, I'm curious which manufacturers have pushed out updates. Screenshots optional, but definitely would be good to hear what devices people have and if they are patched.
Thine Wonk is offline   Reply With Quote
Old 31-08-2015, 21:37
mupet0000
Forum Member
 
Join Date: Sep 2007
Posts: 620

Make / Model of device :
Nexus 6 (running Android 6.0 Marshmallow)
Are you vulnerable according to the app? No
Have you disabled auto receive MMS as a precaution? No

http://i.imgur.com/NGA3dJT.png
mupet0000 is offline   Reply With Quote
Old 01-09-2015, 00:18
Aye Up
Forum Member
 
Join Date: Mar 2001
Location: North West
Posts: 4,884
Make & Model: Samsung Galaxy S6 Edge
Are you vulnerable? Yes
Have you disabled auto receive MMS as a precaution? No

https://goo.gl/photos/HFXWHG7bhnkGCHB78

I have several other devices which report pretty much the same, if anything this is a fault of Google's not the device makers. Given so few people use MMS now in Europe I wonder what fuss is?
Aye Up is offline Follow this poster on Twitter   Reply With Quote
Old 01-09-2015, 00:45
mupet0000
Forum Member
 
Join Date: Sep 2007
Posts: 620
Make & Model: Samsung Galaxy S6 Edge
Are you vulnerable? Yes
Have you disabled auto receive MMS as a precaution? No

https://goo.gl/photos/HFXWHG7bhnkGCHB78

I have several other devices which report pretty much the same, if anything this is a fault of Google's not the device makers. Given so few people use MMS now in Europe I wonder what fuss is?
I guess seen as all this exploit requires is for your device to receive a malicious MMS it doesn't matter if people use MMS or not, as long as you can receive one, your device isn't safe until it's patched. All someone needs to exploit this is your phone number.
mupet0000 is offline   Reply With Quote
Old 01-09-2015, 01:09
Aye Up
Forum Member
 
Join Date: Mar 2001
Location: North West
Posts: 4,884
All someone needs to exploit this is your phone number.
I see your point, however it would be a targeted attack surely? I know its possible to send out a MMS to several people, thats costs money. They are not cheap to send (at least from within the UK). No doubt they have a bank of mobile numbers for a given market it would be easy to do in some respect.

I can see the potential threat, but not the actual one if you know what I mean?
Aye Up is offline Follow this poster on Twitter   Reply With Quote
Old 01-09-2015, 02:47
Kenny Maclean
Forum Member
 
Join Date: Dec 2003
Location: London
Posts: 1,241
Would be good to see some more, I'm curious which manufacturers have pushed out updates. Screenshots optional, but definitely would be good to hear what devices people have and if they are patched.
Much to my surprise, HTC pushed out a patch a couple of weeks ago for my M7.
Kenny Maclean is offline   Reply With Quote
Old 01-09-2015, 19:27
Thine Wonk
Forum Member
 
Join Date: Mar 2009
Posts: 14,545
Make & Model: Samsung Galaxy S6 Edge
Are you vulnerable? Yes
Have you disabled auto receive MMS as a precaution? No

https://goo.gl/photos/HFXWHG7bhnkGCHB78

I have several other devices which report pretty much the same, if anything this is a fault of Google's not the device makers. Given so few people use MMS now in Europe I wonder what fuss is?
It doesn't matter whether MMS is used a lot as it isn't genuine messages that are the problem, it is unsolicited malicious messages. There are 1 billion vulnerable devices sitting there that only need to receive a message with a certain message and you don't have to do a single thing as a user for somebody to send that message execute code on your phone and steal data or do anything on your device.

The other thing is that the vulnerability isn't just an MMS issue, any browser or app can take advantage of the same exploit if you visit a website with that code on. The exploit even has more permissions than you do as a normal user of the phone!

The worst case scenario is a worm that infects a device and then sends MSS messages to your phone contact list and infects all of them, and then their contacts send to all theirs etc.. They can also use the exploit to make money by making your device visit ad links or use premium rate services that they earn money from, or in the long run ransomware like cryptolocker as you know many devices will never be updated.
Thine Wonk is offline   Reply With Quote
Old 01-09-2015, 19:41
Thine Wonk
Forum Member
 
Join Date: Mar 2009
Posts: 14,545
To add that ASLR prevents this exploit from being successful in most cases, and that is a challenge which the 'bad guys' are up against, but they have successfully been able to work around ASLR after some time on other operating systems. They are always researching and working around the security protections.

One of the issues is that only 2.1% of Android devices are actually 'supported' meaning only that many will get updates for security fixes, 97.9% are abandoned or where no updates will be available anymore.

If not this exploit, then the next will be used, and the issue is that you've got a device with premium rate calling functionality, always on data and usually lots of personal data too.
Thine Wonk is offline   Reply With Quote
Old 01-09-2015, 20:15
alanwarwic
Forum Member
 
Join Date: Oct 2003
Location: the wild world web
Posts: 28,132
No one in their right mind would accept an usolivited mms video if they have already turned off auto mms receive.
The problem is, if a friends devuce has been taken over by a bot and is attempting to spread via sending videos via mms !

I never even knew mms could send videos, stupid costing being the kiss of death there. And you have to be slightly lazy/stupid to send mms picture messages too.
alanwarwic is offline   Reply With Quote
Old 01-09-2015, 20:24
Thine Wonk
Forum Member
 
Join Date: Mar 2009
Posts: 14,545
No one in their right mind would accept an usolivited mms video if they have already turned off auto mms receive.
The problem is, if a friends devuce has been taken over by a bot and is attempting to spread via sending videos via mms !
The thing is (as you know) the default is to auto receive and therefore with no user action what so ever the device can be remotely attacked to execute code. The user doesn't have to approve, receive or anything. The vast majority of users haven't disabled auto receive of MMS and haven't updated or don't have an update available.

Luckily it isn't being exploited in the wild yet, but I'm sure there are cyber criminals planning on it and looking at what they can do without being tracked back / caught. They have to develop code and look at how to spread it and how to monetise it and this takes quite a bit of time usually, especially for exploit kits to start being developed and sold on the black market. It might be for now that there's lower hanging fruit as is often the case with these things.

As I say, if not this exploit it'll be the next.
Thine Wonk is offline   Reply With Quote
Old 01-09-2015, 20:42
alanwarwic
Forum Member
 
Join Date: Oct 2003
Location: the wild world web
Posts: 28,132
Networks are a bunch of b******s so theyaint going to send a mass text to their customers advising them to turn it off.
They could make it opt in at their end, but again that ain't ever going to happen.
alanwarwic is offline   Reply With Quote
Old 01-09-2015, 20:51
IvanIV
Forum Member
 
Join Date: May 2006
Posts: 25,199
To add that ASLR prevents this exploit from being successful in most cases, and that is a challenge which the 'bad guys' are up against, but they have successfully been able to work around ASLR after some time on other operating systems. They are always researching and working around the security protections.

One of the issues is that only 2.1% of Android devices are actually 'supported' meaning only that many will get updates for security fixes, 97.9% are abandoned or where no updates will be available anymore.

If not this exploit, then the next will be used, and the issue is that you've got a device with premium rate calling functionality, always on data and usually lots of personal data too.
I was skeptical about 64 bit processors, but having one and running 64 bit code is one thing that can make it quite a challenge for malware if used together with ASLR.
IvanIV is offline   Reply With Quote
Old 01-09-2015, 21:02
Thine Wonk
Forum Member
 
Join Date: Mar 2009
Posts: 14,545
I was skeptical about 64 bit processors, but having one and running 64 bit code is one thing that can make it quite a challenge for malware if used together with ASLR.
Absolutely, it makes it harder as in 32 bit there is a smaller number of possibilities I understand. I'm not sure how the Windows malware has been able to get around ASLR, but some has, the other things with MMS is that the server that originates the messages can always be tracked back, so it is hard to exploit without being traced by the networks and therefore the likes of police / higher.

I think it is early days as well, it might just be that they haven't managed to exploit it in the wild, but that right now it is being worked on as a project by cyber criminals who are writing code and developing a whole exploitation system around it. Certainly we know that this is what we see with other exploits on other platforms. In Windows we see banking sites altered as a result of malware, we see search sites swapped out to revenue earning search results, we see ransomware, we see owners unaware that their machines are part of a botnet DDOSing servers like today's attack on the UK's National Crime Agency and we see password theft for sale in batch, especially gaming passwords, on a phone there's the added bonus of premium rate calling and texting to revenue earning services.

Your phone has a lot of apps, logins, passwords, contact numbers, email information and is a goldmine of information if they can successfully access that without being caught and with no need to trick the user, just craft the right kind of video file and you're away, the user either drives by the website or adverts or auto receives an MMS video.
Thine Wonk is offline   Reply With Quote
Old 01-09-2015, 21:15
alanwarwic
Forum Member
 
Join Date: Oct 2003
Location: the wild world web
Posts: 28,132
It is still easier to have malicius apps in the various app stores, though Windows has the 10s, maybe 100s of thousands of bots out there now!
alanwarwic is offline   Reply With Quote
Old 01-09-2015, 21:23
IvanIV
Forum Member
 
Join Date: May 2006
Posts: 25,199
I remember reading an article about getting past ASLR to call Windows APIs in Internet Explorer. I cannot find it, but the author demonstrated it at one of those hacking competitions where he started a local programme via a script on a web page IIRC. He didn't get past UAC, but it was still something
IvanIV is offline   Reply With Quote
Old 01-09-2015, 21:24
Thine Wonk
Forum Member
 
Join Date: Mar 2009
Posts: 14,545
It is still easier to have malicius apps in the various app stores, though Windows has the 10s, maybe 100s of thousands of bots out there now!
Apps only have permission to operating system APIs though and need the user to download and install and are to some extent curated by the store and can be remotely removed and deleted and require developer signing with a developer key, which requires some authentication or traceability and costs money.

This exploit has root access right into the core of the OS and it only requires a multimedia message. It has the potential to be wormable too.
Thine Wonk is offline   Reply With Quote
Old 07-09-2015, 20:51
Thine Wonk
Forum Member
 
Join Date: Mar 2009
Posts: 14,545
http://oi62.tinypic.com/35mo7tc.jpg


LG G3 up to date. I got notification of the OTA update today.
Thine Wonk is offline   Reply With Quote
Old 07-09-2015, 22:17
Denco1
Forum Member
 
Join Date: Mar 2015
Posts: 983
Yes LG patches started rolling out end of August.
Not quite sure what's going on with my G4, Zimperium says CVE-2015-3864 is vulnerable, but another detector says it's not vulnerable. Maybe to do with the way I flashed the kdz.

OnePlus 2 was also patched a while back.
Denco1 is offline   Reply With Quote
 
Reply




 
Forum Jump


All times are GMT. The time now is 13:35.