There appears to be a giant security vulnerability with Android that seems to basically affect all phones. PC World wrote:
The vast majority of Android phones can be hacked by sending them a specially crafted multimedia message (MMS), a security researcher [Joshua Drake] has found.
...
Drake found multiple vulnerabilities in a core Android component called Stagefright that’s used to process, play and record multimedia files. Some of the flaws allow for remote code execution and can be triggered when receiving an MMS message, downloading a specially crafted video file through the browser or opening a Web page with embedded multimedia content.
...
The MMS attack vector is the scariest of all because it doesn’t require any interaction from the user; the phone just needs to receive a malicious message.
For example, the attacker could send the malicious MMS when the victim is sleeping and the phone’s ringer is silenced, Drake said. After exploitation the message can be deleted, so the victim will never even know that his phone was hacked, he said.
What can a regular user do to mitigate the issue? Disable Google Hangouts?
Answer
This is not just about MMS or web surfing, since Stagefright is the library that helps phones to unpack multimedia messages: see Media and this article on Fortune.
So it is about any application (including your web browser) that works with multimedia (video clips and audio records). MMS is just an easiest way to exploit it, because your phone will not ask you before downloading it.
That is why you also need to think about all other applications working with multimedia and never open any multimedia attachments before the fix is not installed on your phone.
For the Web browser, you could switch to Firefox 38 or higher, then you could continue opening web pages with video and/or audio content.
To summarise:
- Disable auto-retrival of MMS in your Messaging App (whatever it is) (Guide with images)
- Switch to Firefox 38 or later (find it in your market / app store)
- Switch to a filesystem manager hiding video thumbnails, which is the default for Total commander
- Switch to a video player that is immune, e.g., the video player MX player (make sure to activate its "HW+" setting for all video formats) pointed out by hulkingtickets
Do not open any multimedia files or draw video thumbnails in any other applications and block automatic opening/downloading of them in all apps if possible. This is very important. If your phone is not patched and you use ANY app with multimedia content, and there is no option to block automatic opening of multimedia in this app (example for browser: if you open some random web page, you browser should preload videos, if they are on this web page), then stop using this app and block Internet access for this app (if you can't - delete the app). If this app is important to you, and you can't update phone firmware or block multimedia in this app, just stop using your phone and buy another one, which is not vulnerable.
Yes, this means that in the worst case you need to change the phone. Stagefright is a very serious vulnerability affecting ~ 1 billion devices, so you could easily become a victim of automated attack, that is not done directly against you, but directed to all 1 billion users.
Install updates, if you have Cyanogenmod 11 or 12 (fixed on 23.07.2015, see commits on github)
EDIT: fixes from 23.07.2015 were incomplete, you may need to update again after fix on 13.08.2015
EDIT 4: Fixes on 13.08.2015 were again incomplete, you need to update one more time after fixes from Google in October 2015 (so-called Stagefright 2.0). If you have Adroid 5.x or 6, you may need to update again after these next fixes from Google in November 2015, since there are similarly dangerous vulnerabilities (CVE-2015-6608 and CVE-2015-6609), that are probably not called Stagefright anymore. Please note, that the time of actual fix from your manufacturer could be later, or at least different. E.g., CM11 got updated on 09.11.2015, while CM12.1 got updated on 29.09.2015.
EDIT 5: 2 more Stagefright vulnerabilities are reported by Google at 01.02.2016, however, they "only" affect Adroid 4.4.4 - 6.0.1
Wait for update from your manufacturer
EDIT2: Similar with Cyanogenmod, an update from your manufacturer could be not enough, due to the issue with initial integer overflow fix, that was reported on 12.08.2015: Original integer overflow fix ineffective. So even after update, it is recommended to check if your phone is still vulnerable using the App from Zimperium (finder of the Stagefright issue): Zimperium Stagefright Detector App
If you already has root, try fix offered by GoOrDie. Also see this howto guide.
EDIT 3. I tried this fix on Samsung S4 mini, and it did not work. So think twice before rooting your phone.
No comments:
Post a Comment