I thought of this idea when the topic came up in another thread. Tell if if your Android device is still vulnerable to Stagefright.

There a few apps to choose from, but this one is very reputable, you don't have to use that one, choose your own from the store. Please check for over the air updates before posting to see if a fix is available.

https://play.google.com/store/apps/d...detector&hl=en

Tell us:-

Make / Model of device :
Are you vulnerable according to the app?
Have you disabled auto receive MMS as a precaution?

Bear in mind that this discovery was in July, affecting 95% of Android devices (1Billion) and that all you need to do is send a malicious MMS message, how many are now still vulnerable?

I'll start..

Make / Model of device : LG G3
Are you vulnerable according to the app? Yes
Have you disabled auto receive MMS as a precaution? Yes

http://oi61.tinypic.com/29mq7ow.jpg

Using the same Zimperium Detector app.

Make / Model of device: Moto G 4G/LTE (1st edition) - Android 5.1 - up to date
Are you vulnerable according to the app? Yes
Have you disabled auto receive MMS as a precaution? Yes

http://oi62.tinypic.com/21msxv7.jpg

Would be good to see some more, I'm curious which manufacturers have pushed out updates. Screenshots optional, but definitely would be good to hear what devices people have and if they are patched.

Make / Model of device : Nexus 6 (running Android 6.0 Marshmallow)
Are you vulnerable according to the app? No
Have you disabled auto receive MMS as a precaution? No

http://i.imgur.com/NGA3dJT.png

Make & Model: Samsung Galaxy S6 Edge
Are you vulnerable? Yes
Have you disabled auto receive MMS as a precaution? No

https://goo.gl/photos/HFXWHG7bhnkGCHB78

I have several other devices which report pretty much the same, if anything this is a fault of Google's not the device makers. Given so few people use MMS now in Europe I wonder what fuss is?

I guess seen as all this exploit requires is for your device to receive a malicious MMS it doesn't matter if people use MMS or not, as long as you can receive one, your device isn't safe until it's patched. All someone needs to exploit this is your phone number.

I see your point, however it would be a targeted attack surely? I know its possible to send out a MMS to several people, thats costs money. They are not cheap to send (at least from within the UK). No doubt they have a bank of mobile numbers for a given market it would be easy to do in some respect.

I can see the potential threat, but not the actual one if you know what I mean?

Much to my surprise, HTC pushed out a patch a couple of weeks ago for my M7.

It doesn't matter whether MMS is used a lot as it isn't genuine messages that are the problem, it is unsolicited malicious messages. There are 1 billion vulnerable devices sitting there that only need to receive a message with a certain message and you don't have to do a single thing as a user for somebody to send that message execute code on your phone and steal data or do anything on your device.

The other thing is that the vulnerability isn't just an MMS issue, any browser or app can take advantage of the same exploit if you visit a website with that code on. The exploit even has more permissions than you do as a normal user of the phone!

The worst case scenario is a worm that infects a device and then sends MSS messages to your phone contact list and infects all of them, and then their contacts send to all theirs etc.. They can also use the exploit to make money by making your device visit ad links or use premium rate services that they earn money from, or in the long run ransomware like cryptolocker as you know many devices will never be updated.

To add that ASLR prevents this exploit from being successful in most cases, and that is a challenge which the 'bad guys' are up against, but they have successfully been able to work around ASLR after some time on other operating systems. They are always researching and working around the security protections.

One of the issues is that only 2.1% of Android devices are actually 'supported' meaning only that many will get updates for security fixes, 97.9% are abandoned or where no updates will be available anymore.

If not this exploit, then the next will be used, and the issue is that you've got a device with premium rate calling functionality, always on data and usually lots of personal data too.

No one in their right mind would accept an usolivited mms video if they have already turned off auto mms receive.
The problem is, if a friends devuce has been taken over by a bot and is attempting to spread via sending videos via mms !

I never even knew mms could send videos, stupid costing being the kiss of death there. And you have to be slightly lazy/stupid to send mms picture messages too.

The thing is (as you know) the default is to auto receive and therefore with no user action what so ever the device can be remotely attacked to execute code. The user doesn't have to approve, receive or anything. The vast majority of users haven't disabled auto receive of MMS and haven't updated or don't have an update available.

Luckily it isn't being exploited in the wild yet, but I'm sure there are cyber criminals planning on it and looking at what they can do without being tracked back / caught. They have to develop code and look at how to spread it and how to monetise it and this takes quite a bit of time usually, especially for exploit kits to start being developed and sold on the black market. It might be for now that there's lower hanging fruit as is often the case with these things.

As I say, if not this exploit it'll be the next.

Networks are a bunch of b******s so theyaint going to send a mass text to their customers advising them to turn it off.
They could make it opt in at their end, but again that ain't ever going to happen.

I was skeptical about 64 bit processors, but having one and running 64 bit code is one thing that can make it quite a challenge for malware if used together with ASLR.

Absolutely, it makes it harder as in 32 bit there is a smaller number of possibilities I understand. I'm not sure how the Windows malware has been able to get around ASLR, but some has, the other things with MMS is that the server that originates the messages can always be tracked back, so it is hard to exploit without being traced by the networks and therefore the likes of police / higher.

I think it is early days as well, it might just be that they haven't managed to exploit it in the wild, but that right now it is being worked on as a project by cyber criminals who are writing code and developing a whole exploitation system around it. Certainly we know that this is what we see with other exploits on other platforms. In Windows we see banking sites altered as a result of malware, we see search sites swapped out to revenue earning search results, we see ransomware, we see owners unaware that their machines are part of a botnet DDOSing servers like today's attack on the UK's National Crime Agency and we see password theft for sale in batch, especially gaming passwords, on a phone there's the added bonus of premium rate calling and texting to revenue earning services.

Your phone has a lot of apps, logins, passwords, contact numbers, email information and is a goldmine of information if they can successfully access that without being caught and with no need to trick the user, just craft the right kind of video file and you're away, the user either drives by the website or adverts or auto receives an MMS video.

It is still easier to have malicius apps in the various app stores, though Windows has the 10s, maybe 100s of thousands of bots out there now!

I remember reading an article about getting past ASLR to call Windows APIs in Internet Explorer. I cannot find it, but the author demonstrated it at one of those hacking competitions where he started a local programme via a script on a web page IIRC. He didn't get past UAC, but it was still something

Apps only have permission to operating system APIs though and need the user to download and install and are to some extent curated by the store and can be remotely removed and deleted and require developer signing with a developer key, which requires some authentication or traceability and costs money.

This exploit has root access right into the core of the OS and it only requires a multimedia message. It has the potential to be wormable too.

http://oi62.tinypic.com/35mo7tc.jpg


LG G3 up to date. I got notification of the OTA update today.

Yes LG patches started rolling out end of August.
Not quite sure what's going on with my G4, Zimperium says CVE-2015-3864 is vulnerable, but another detector says it's not vulnerable. Maybe to do with the way I flashed the kdz.

OnePlus 2 was also patched a while back.