Stagefright: New Android Vulnerability Dubbed 'heartbleed for mobile'

Researcher Joshua Drake has found a number of flaws which will allow the hacker to execute malicious code remotely

An attacker can take over the vast majority of Android phones with just a text message, security researcher reports
A major security flaw in Android lets an attacker take control of a phone simply by sending a text message – and for the vast majority of Android users, there’s no fix available yet.

Even the small number of people using Google’s own line of Android phones, sold under the Nexus brand, are vulnerable to some of the effects of the bug, according to Joshua Drake, the researcher who discovered the flaw. The weakness affects a part of the Android operating system, called Stagefright, that lets phones and tablets display media content. A maliciously crafted video can be used to deliver a program, which will run on the phone as soon as it is processed, by Stagefright, potentially letting an attacker do anything from read and delete data to spy on the owner through their camera and microphone.

Worse, Google’s messaging app Hangouts automatically pre-processes videos when they’re received to cut down the delay if the user wants to watch them straight away. That means that if the video is sent as an MMS message, it can take over the phone “before the sound that you’ve received a message has even occurred,” Drake told NPR.
Even with Android’s default messaging app, all the user has to do is view the message to trigger the Stagefright vulnerability. In neither case does the user actually have to play the video in order to be the victim of the hack. But in newer versions of the Android operating system, Google says that users are protected from the worst effects of the bug.

Chris Wysopal, the chief information security officer for app security specialists Veracode, called the flaw “Heartbleed for mobile”, referring to the widespread bug that put hundreds of thousands of websites at risk of hacking in April 2014.
Wysopal said bugs that severe “are exceedingly rare and pose a serious security issue for users”.

Drake revealed details of the bug to Google in April, and provided the company with patches for the errors, in theory, enough to ensure that users are never put at risk from the bug. He negotiated a 90-day embargo before he went public, giving the company a long headway to ship a fix to users. Google’s in-house security researchers, Project Zero, apply the same 90-day warning to other vendors when they find bugs in products from companies such as Apple and Microsoft.

But the coder’s revelation has also highlighted a long-standing security problem with Android, which is the speed with which fixes for software errors filter down to end users. Google, which makes the Android operating system, has no power to push patches to the vast majority of Android phones that are produced by other companies such as HTC, LG or Samsung, and those companies frequently have to negotiate with mobile network operators to send patches to the end user.
In a statement, Google said: “This vulnerability was identified in a laboratory setting on older Android devices, and as far as we know, no one has been affected. As soon as we were made aware of the vulnerability we took immediate action and sent a fix to our partners to protect users.
“As part of a regularly scheduled security update, we plan to push further safeguards to Nexus devices starting next week. And, we’ll be releasing it in open source when the details are made public by the researcher at BlackHat.”

Google rewarded Drake $1,337 for reporting the patches, although if he’d waited a couple of months, until the company launched its official bug bounty programme, he could have earned ten times that.

Guardian

 

« Can You have Both Security & Privacy in the Internet Age?
Don't Make These IT Mistakes in Your Organisation »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

Resecurity, Inc.

Resecurity, Inc.

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

Information Commissioner's Office (ICO)

Information Commissioner's Office (ICO)

The Information Commissioner's Office is an independent authority set up to uphold information rights in the public interest.

Shadowserver Foundation

Shadowserver Foundation

Shadowserver Foundation aims to improve internet security by raising awareness of compromised servers, malicious attackers and the spread of malware.

SecuGen

SecuGen

SecuGen is a leading provider of advanced, optical fingerprint recognition technology, products, tools and platforms for physical and information security.

Teramind

Teramind

Teramind provides a user-centric security approach to monitor employee behavior in order to identify suspicious activity, detect possible threats, monitor efficiency, and ensure industry compliance.

MACH37

MACH37

MACH37 is a market-centric cybersecurity accelerator program designed to facilitate the creation of the next generation of cybersecurity product companies.

Lightship Security

Lightship Security

Lightship Security is an accredited Common Criteria and FIPS 140-2 IT security testing laboratory that specializes in test conformance automation solutions and IT product security certifications.

CYRail

CYRail

CYRail project will analyse threats targeting Railway infrastructures and develop innovative attack detection and alerting techniques.

Blockchain Solutions

Blockchain Solutions

Blockchain Solutions Limited is a technological One Stop Solution provider, for Blockchain technology.

Shevirah

Shevirah

Shevirah specializes in products for automated mobile and IoT device vulnerability assessment, penetration testing, and mobile security awareness training.

North American International Cyber Summit

North American International Cyber Summit

The North American International Cyber Summit brings together experts from around the globe to provide timely content and address a variety of cybersecurity issues impacting the world.

Strike Graph

Strike Graph

The Strike Graph GRC platform enables Security Audits & Certifications.

DoControl

DoControl

DoControl gives organizations the automated, self-service tools they need for SaaS applications data access monitoring, orchestration, and remediation.

Normalyze

Normalyze

Normalyze are solving some of the most painful problems enterprise IT security teams face in the cloud and data security space. We help enterprises protect all the data they run in the cloud.

Unciphered

Unciphered

Unciphered was created as the first company providing services for opening locked hardware cryptocurrency wallets.

Kong

Kong

Kong - powering the API world. Increase developer productivity, security, and performance at scale with the unified platform for API management, service mesh, and ingress controller.

Cipher Net Shield

Cipher Net Shield

Cipher Net Shield specializes in secure E-wallet solutions with a strong focus on blockchain and cybersecurity, prioritizing both transaction security and the recovery of lost capital.