Stagefright: New Android Vulnerability Dubbed 'heartbleed for mobile'

Uploaded on 2015-08-06 in NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-IT & Telecoms

Researcher Joshua Drake has found a number of flaws which will allow the hacker to execute malicious code remotely

An attacker can take over the vast majority of Android phones with just a text message, security researcher reports
A major security flaw in Android lets an attacker take control of a phone simply by sending a text message – and for the vast majority of Android users, there’s no fix available yet.

Even the small number of people using Google’s own line of Android phones, sold under the Nexus brand, are vulnerable to some of the effects of the bug, according to Joshua Drake, the researcher who discovered the flaw. The weakness affects a part of the Android operating system, called Stagefright, that lets phones and tablets display media content. A maliciously crafted video can be used to deliver a program, which will run on the phone as soon as it is processed, by Stagefright, potentially letting an attacker do anything from read and delete data to spy on the owner through their camera and microphone.

Worse, Google’s messaging app Hangouts automatically pre-processes videos when they’re received to cut down the delay if the user wants to watch them straight away. That means that if the video is sent as an MMS message, it can take over the phone “before the sound that you’ve received a message has even occurred,” Drake told NPR.
Even with Android’s default messaging app, all the user has to do is view the message to trigger the Stagefright vulnerability. In neither case does the user actually have to play the video in order to be the victim of the hack. But in newer versions of the Android operating system, Google says that users are protected from the worst effects of the bug.

Chris Wysopal, the chief information security officer for app security specialists Veracode, called the flaw “Heartbleed for mobile”, referring to the widespread bug that put hundreds of thousands of websites at risk of hacking in April 2014.
Wysopal said bugs that severe “are exceedingly rare and pose a serious security issue for users”.

Drake revealed details of the bug to Google in April, and provided the company with patches for the errors, in theory, enough to ensure that users are never put at risk from the bug. He negotiated a 90-day embargo before he went public, giving the company a long headway to ship a fix to users. Google’s in-house security researchers, Project Zero, apply the same 90-day warning to other vendors when they find bugs in products from companies such as Apple and Microsoft.

But the coder’s revelation has also highlighted a long-standing security problem with Android, which is the speed with which fixes for software errors filter down to end users. Google, which makes the Android operating system, has no power to push patches to the vast majority of Android phones that are produced by other companies such as HTC, LG or Samsung, and those companies frequently have to negotiate with mobile network operators to send patches to the end user.
In a statement, Google said: “This vulnerability was identified in a laboratory setting on older Android devices, and as far as we know, no one has been affected. As soon as we were made aware of the vulnerability we took immediate action and sent a fix to our partners to protect users.
“As part of a regularly scheduled security update, we plan to push further safeguards to Nexus devices starting next week. And, we’ll be releasing it in open source when the details are made public by the researcher at BlackHat.”

Google rewarded Drake $1,337 for reporting the patches, although if he’d waited a couple of months, until the company launched its official bug bounty programme, he could have earned ten times that.

Guardian

 

« Can You have Both Security & Privacy in the Internet Age?
Don't Make These IT Mistakes in Your Organisation »

ManageEngine
CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

Open Networking Foundation (ONF)

Open Networking Foundation (ONF)

The Open Networking Foundation (ONF) is a non-profit operator led consortium driving transformation of network infrastructure and carrier business models.

My Data Recovery Lab

My Data Recovery Lab

We recover data from: HDDs, RAIDs, NAS, SSDs, USB Flash Devices, Desktop Computers, Mobile devices and other data storage media.

Cybernetica

Cybernetica

Cybernetica is an ICT company with activities in e-government, marine comms, data analysis and research in information security technologies.

Raytheon Technologies

Raytheon Technologies

Raytheon Intelligence & Space delivers solutions that protect every side of cyber for government agencies, businesses and nations.

Span

Span

Span designs, develops and maintains information systems based on advanced technological solutions of global IT leaders.

TROOPERS

TROOPERS

TROOPERS InfoSec event consists of two days of high-end training, followed by a two-day, three-track conference, culminating in Roundtables on the final day.

SixThirty CYBER

SixThirty CYBER

SixThirty is a venture fund that invests in early-stage enterprise technology companies from around the world building FinTech, InsurTech, and Cybersecurity solutions.

Automox

Automox

Remediate vulnerabilities 30X faster than the industry norm – and dramatically reduce your risk with simple, fast, and cloud-native endpoint hardening from Automox.

Maven Security Consulting

Maven Security Consulting

Maven Security Consulting helps companies secure their information assets and digital infrastructure by providing a wide range of customized consulting and training services.

Dashlane

Dashlane

Dashlane puts all your passwords, payments, and personal info in one place that only you control. So you can use them instantly. Securely. Exactly when you need them.

Truesec

Truesec

TRUESEC has an exceptional mix of IT specialists. We are true experts in cyber security, advanced IT infrastructure and secure development.

Chorology

Chorology

Chorology is a leading provider of intelligently automated, data compliance and posture enforcement solutions.

True Corporation

True Corporation

True Corporation is Thailand’s leading Telecom-Tech company, empowering people and businesses with connected solutions that advance society sustainably.

SeQure

SeQure

SeQure is a novel cybersecurity and data observability company that offers Fortune 100 and Governments a zero-trust service to continuously monitor large network environments.

Blind Insight

Blind Insight

Field-level searchable encryption plus fine-grained programmable access controls. All wrapped neatly in developer-friendly APIs and SDKs. Data protection perfection.

Inoxoft

Inoxoft

Inoxoft delivers IT security consulting, assessment, and protection services to help businesses secure their infrastructure, applications, and sensitive data.