Stagefright: New Android Vulnerability Dubbed 'heartbleed for mobile'

Uploaded on 2015-08-06 in NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-IT & Telecoms

Researcher Joshua Drake has found a number of flaws which will allow the hacker to execute malicious code remotely

An attacker can take over the vast majority of Android phones with just a text message, security researcher reports
A major security flaw in Android lets an attacker take control of a phone simply by sending a text message – and for the vast majority of Android users, there’s no fix available yet.

Even the small number of people using Google’s own line of Android phones, sold under the Nexus brand, are vulnerable to some of the effects of the bug, according to Joshua Drake, the researcher who discovered the flaw. The weakness affects a part of the Android operating system, called Stagefright, that lets phones and tablets display media content. A maliciously crafted video can be used to deliver a program, which will run on the phone as soon as it is processed, by Stagefright, potentially letting an attacker do anything from read and delete data to spy on the owner through their camera and microphone.

Worse, Google’s messaging app Hangouts automatically pre-processes videos when they’re received to cut down the delay if the user wants to watch them straight away. That means that if the video is sent as an MMS message, it can take over the phone “before the sound that you’ve received a message has even occurred,” Drake told NPR.
Even with Android’s default messaging app, all the user has to do is view the message to trigger the Stagefright vulnerability. In neither case does the user actually have to play the video in order to be the victim of the hack. But in newer versions of the Android operating system, Google says that users are protected from the worst effects of the bug.

Chris Wysopal, the chief information security officer for app security specialists Veracode, called the flaw “Heartbleed for mobile”, referring to the widespread bug that put hundreds of thousands of websites at risk of hacking in April 2014.
Wysopal said bugs that severe “are exceedingly rare and pose a serious security issue for users”.

Drake revealed details of the bug to Google in April, and provided the company with patches for the errors, in theory, enough to ensure that users are never put at risk from the bug. He negotiated a 90-day embargo before he went public, giving the company a long headway to ship a fix to users. Google’s in-house security researchers, Project Zero, apply the same 90-day warning to other vendors when they find bugs in products from companies such as Apple and Microsoft.

But the coder’s revelation has also highlighted a long-standing security problem with Android, which is the speed with which fixes for software errors filter down to end users. Google, which makes the Android operating system, has no power to push patches to the vast majority of Android phones that are produced by other companies such as HTC, LG or Samsung, and those companies frequently have to negotiate with mobile network operators to send patches to the end user.
In a statement, Google said: “This vulnerability was identified in a laboratory setting on older Android devices, and as far as we know, no one has been affected. As soon as we were made aware of the vulnerability we took immediate action and sent a fix to our partners to protect users.
“As part of a regularly scheduled security update, we plan to push further safeguards to Nexus devices starting next week. And, we’ll be releasing it in open source when the details are made public by the researcher at BlackHat.”

Google rewarded Drake $1,337 for reporting the patches, although if he’d waited a couple of months, until the company launched its official bug bounty programme, he could have earned ten times that.

Guardian

 

« Can You have Both Security & Privacy in the Internet Age?
Don't Make These IT Mistakes in Your Organisation »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

Resecurity, Inc.

Resecurity, Inc.

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Hyper Recruitment Solutions

Hyper Recruitment Solutions

Hyper Recruitment Solutions is a specialist and highly compliant recruitment consultancy dedicated to the Science and Technology sectors.

DCL Search & Select

DCL Search & Select

DCL Search & Selection connect candidates to the best companies in the IT Security, Telco, UC, Outsourcing, ERP, Audit & Control markets.

Orange Cyberdefense

Orange Cyberdefense

Orange Cyberdefense is the expert cybersecurity business unit of the Orange Group, providing managed security, managed threat detection & response services to organizations around the globe.

PeCERT

PeCERT

PeCERT is the national Computer Emergency Response Team for Peru.

PhishLine

PhishLine

PhishLine helps Information Security Professionals meet and overcome the increasing challenges associated with social engineering and phishing.

Giesecke+Devrient (G+D)

Giesecke+Devrient (G+D)

Giesecke+Devrient develop security technologies in four major areas: enabling secure payment, providing trusted connectivity, safeguarding identities and protecting digital infrastructures.

Zecurion

Zecurion

Zecurion data loss prevention (DLP) solution is an easy-to-use solution for securing confidential data at rest and in motion.

NFIR

NFIR

NFIR is a specialist in the field of cyber security incident response and digital forensics.

Labs/02

Labs/02

Labs/02 is a seed-stage incubator with a mission to advance cutting-edge technology in innovative areas including AI, deep learning, autonomous transportation, and smart cities.

BullGuard

BullGuard

BullGuard is an award-winning cybersecurity company focused on providing the consumer and small business markets with the confidence to use the internet in absolute safety.

Partners in Regulatory Compliance (PIRC)

Partners in Regulatory Compliance (PIRC)

Partners in Regulatory Compliance provides an array of cybersecurity services including cybersecurity policy management, risk assessments and regulatory compliance consulting.

Data#3 Limited (DTL)

Data#3 Limited (DTL)

Data#3 Limited (DTL) is a leading Australian IT services and solutions provider.

Automation Workz

Automation Workz

Automation Workz has been ranked as a top 10 Cybersecurity Bootcamp in the US by Career Karma.

Moss Adams

Moss Adams

Moss Adams is a fully integrated professional services firm dedicated to assisting clients with growing, managing, and protecting prosperity.

ATHENE National Research Center For Applied Cybersecurity

ATHENE National Research Center For Applied Cybersecurity

ATHENE is the largest research center for cybersecurity and privacy in Europe, conducting application-oriented top-level research for the benefit of the economy, society and the state.

Maltego Technologies

Maltego Technologies

Maltego is a comprehensive tool for graphical link analyses that offers real-time data mining and information gathering. Applications include cybersecurity threat intelligence and incident response.