Stagefright: New Android Vulnerability Dubbed 'heartbleed for mobile'

Researcher Joshua Drake has found a number of flaws which will allow the hacker to execute malicious code remotely

An attacker can take over the vast majority of Android phones with just a text message, security researcher reports
A major security flaw in Android lets an attacker take control of a phone simply by sending a text message – and for the vast majority of Android users, there’s no fix available yet.

Even the small number of people using Google’s own line of Android phones, sold under the Nexus brand, are vulnerable to some of the effects of the bug, according to Joshua Drake, the researcher who discovered the flaw. The weakness affects a part of the Android operating system, called Stagefright, that lets phones and tablets display media content. A maliciously crafted video can be used to deliver a program, which will run on the phone as soon as it is processed, by Stagefright, potentially letting an attacker do anything from read and delete data to spy on the owner through their camera and microphone.

Worse, Google’s messaging app Hangouts automatically pre-processes videos when they’re received to cut down the delay if the user wants to watch them straight away. That means that if the video is sent as an MMS message, it can take over the phone “before the sound that you’ve received a message has even occurred,” Drake told NPR.
Even with Android’s default messaging app, all the user has to do is view the message to trigger the Stagefright vulnerability. In neither case does the user actually have to play the video in order to be the victim of the hack. But in newer versions of the Android operating system, Google says that users are protected from the worst effects of the bug.

Chris Wysopal, the chief information security officer for app security specialists Veracode, called the flaw “Heartbleed for mobile”, referring to the widespread bug that put hundreds of thousands of websites at risk of hacking in April 2014.
Wysopal said bugs that severe “are exceedingly rare and pose a serious security issue for users”.

Drake revealed details of the bug to Google in April, and provided the company with patches for the errors, in theory, enough to ensure that users are never put at risk from the bug. He negotiated a 90-day embargo before he went public, giving the company a long headway to ship a fix to users. Google’s in-house security researchers, Project Zero, apply the same 90-day warning to other vendors when they find bugs in products from companies such as Apple and Microsoft.

But the coder’s revelation has also highlighted a long-standing security problem with Android, which is the speed with which fixes for software errors filter down to end users. Google, which makes the Android operating system, has no power to push patches to the vast majority of Android phones that are produced by other companies such as HTC, LG or Samsung, and those companies frequently have to negotiate with mobile network operators to send patches to the end user.
In a statement, Google said: “This vulnerability was identified in a laboratory setting on older Android devices, and as far as we know, no one has been affected. As soon as we were made aware of the vulnerability we took immediate action and sent a fix to our partners to protect users.
“As part of a regularly scheduled security update, we plan to push further safeguards to Nexus devices starting next week. And, we’ll be releasing it in open source when the details are made public by the researcher at BlackHat.”

Google rewarded Drake $1,337 for reporting the patches, although if he’d waited a couple of months, until the company launched its official bug bounty programme, he could have earned ten times that.

Guardian

 

« Can You have Both Security & Privacy in the Internet Age?
Don't Make These IT Mistakes in Your Organisation »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

SABSACourses

SABSACourses

SABSA is a development process used for solving complex problems such as IT Operations, Risk Management, Compliance & Audit functions.

Hex Security

Hex Security

Hex Security Limited is a specialist Information Assurance (IA) consultancy working with associates and partners to deliver security certification and accreditation support.

TBG Security

TBG Security

TBG provides a portfolio of services including cyber security, compliance and continuity solutions.

Fidelis Security

Fidelis Security

Fidelis Security is a leading provider of extended threat detection and response (XDR) solutions for your security operations.

BPC Banking Technologies

BPC Banking Technologies

BPC’s advanced fraud prevention solution helps card issuers and acquirers combat the growing threat by monitoring 100% of transactions, online, in real-time across all channels.

4N6

4N6

4N6 is a privately-owned firm founded with the goal of providing expert knowledge of computer forensics.

Secnology

Secnology

Secnology is dedicated to developing and providing the most powerful and user friendly event analysis and security management solution.

Cyberra Legal Services (CLS)

Cyberra Legal Services (CLS)

Cyberra Legal Services provides cyber law advisory, cyber crime consultancy, cyber law compliance audit, cyber security, cyber forensics and cyber training services.

Palantir

Palantir

Palantir software empowers entire organizations to answer complex questions quickly by bringing the right data to the people who need it.

Business Resilience International Management (BRIM)

Business Resilience International Management (BRIM)

Business Resilience International Management (BRIM) is engaged by law enforcement in the UK and overseas to advise on establishing and developing Cyber Resilience Centres (CRCs) for business.

LAVAAT

LAVAAT

At LAAVAT, our goal is to make it easy for our customers to build secure IoT devices without a need to invest considerably in embedded security and cryptography expertise.

Schellman

Schellman

Schellman is a leading provider of attestation and compliance services.

Rezonate

Rezonate

Rezonate discovers, profiles, and protects Identities and their entire access journey to cloud infrastructure and critical SaaS applications. Preventing and stopping cyberattacks.

WPScan

WPScan

With WPScan, you'll be the first to know about vulnerabilities affecting your WordPress installation, plugins, and themes.

Network Coverage

Network Coverage

Network Coverage align, maintain, and integrate technology and cloud solutions with business operations to improve productivity and security with as few issues and disruptions as possible.

E-CQURITY (ECQ)

E-CQURITY (ECQ)

ECQ is a network security company offering offensive security services and solutions focused on active offensive and defensive positioning.