Stagefright: Everything you need to know about Google’s Android megabug

29 Jul 2015 | Author: | No comments yet »

Android Phones Subject To Attack Via Text Pics.

Stagefright is a nasty potential problem for a huge majority of the World’s Android users. PITTSBURGH (KDKA) – Nearly a billion people worldwide use an Android smartphone, and each phone is potentially vulnerable to an ugly virus that attaches through a text message containing a picture or video. “As soon as it’s received by the phone, it does its initial processing that triggers the vulnerability,” analyst Joshua Drake told National Public Radio. “That’s an invasion of my privacy, trying to get all my information.According to research by Joshua Drake, an Android expert with Zimperium Mobile Security, a gap in Google’s smartphone operating system can allow hackers to target its Stagefright media library.

Thomas Fox-Brewster covered it in detail in his article yesterday, but here in brief is how to prevent the bug being used to access your phone without you even knowing. That’s because there is reportedly a flaw on some Android devices that automatically downloads pictures, audio or video in text messages you receive. Intruders can gain control of an Android phone’s camera or microphone simply by sending a multimedia message containing malicious code to exploit the weakness in Stagefright’s code. “Unlike spear-phishing, where the victim needs to open a PDF file or a link sent by the attacker, this vulnerability can be triggered while you sleep,” a Zimperium blog post explaining the problem said. “Before you wake up, the attacker will remove any signs of the device being compromised and you will continue your day as usual – with a trojaned phone.” Unfortunately, publishing new security updates is just one step companies need to take to protect their customers, says Ben Johnson, chief security strategist for the cybersecurity firm Bit9 + Carbon Black. Will Dormann, a senior vulnerability analyst at the Software Engineering Institute in Oakland, says not all smartphones are equal when it comes to resisting this malware. “Google actually did fix the code,” said Dormann. “The bugs are fixed.

Once Google has fixes for the software, it needs to coordinate with companies like Sprint or T-Mobile, which sometimes make customer versions of Android phones, to make them available. The problem is there will be a certain amount of time before those fixes actually work their way out to the end users of the products.” In other words, says Dormann, although Google has fixed the software, it’s not clear that the manufacturer of your particular cell phone and your cell phone provider have passed on the fix. “If you contact the manufacturer, they will let you know if their particular hardware will get the fix.

That’s what you’ve been asking yourself ever since the Internet erupted yesterday over the announcement of a big computer bug in Google’s Android operating system. Because the exploit works by downloading code via MMS, to prevent being infected you must go to you SMS settings either in your phone’s SMS app, or through Google Hangouts, whichever you use. If they don’t push it out, users won’t get it. “Android users could stop using all messaging apps on their phones, but that is very unlikely,” said Laura Hautala of CNET.com. “So essentially we need to wait for the patches to come out.” The security firm that discovered the bug suggests Android users update to the latest version.

Many at the conference want more companies to open their device software to broader scrutiny from researchers before it is sold to consumers, Johnson says. Anyway, for those who still have questions about all the hullabaloo, Fortune has drafted a friendly Q&A to help you understand what happened, and why it is a problem that still needs fixing.

The downsides of doing this are practically none, if you trust someone sending you an MMS you can still get the data, you’ll just be asked each time. Security researchers Charlie Miller and Chris Valasek recently exposed a similar flaw in numerous vehicles built by Fiat Chrysler Automobiles, which enabled them to control the brakes and other features of a Jeep by accessing its Uconnect entertainment system. It puts 95% of Android devices—950 million gadgets—at risk of being hacked. “Stagefright” is the name of the media library—a portion of Android’s open source code—in which the bugs were found. Johnson says message-based attacks on Android phones are unlikely to become common in the near future, as hackers instead will likely continue traditional attacks like spear phishing emails that trick users into uploading malware onto a computer through links in phony messages.

The Stagefright vulnerability is a sign of things to come, however, as the growing Internet of Things ecosystem offers a range of options for hackers to invade user privacy. “More and more people are going to be trying to show off things like, ‘I hacked your fridge since it now has an IP address,’” Johnson says of the risks facing Wi-Fi connected devices. What’s worse is that a clever baddie can delete the booby-trapped message from your phone before you even realize that your device has been compromised.

The person who discovered the problems—Joshua Drake, a researcher at the mobile security company Zimperium zLabs—says he provided patches, and Google GOOG 0.12% adopted them within two days. (The company reportedly paid him $1,337 for his work.) That’s because Google’s Android ecosystem relies on its partnering phone-makers to push out software upgrades. Nudge nudge, wink wink.) As Google Android’s lead security engineer explains here, that’s about the time that Google put in place some strong exploit mitigation technologies, like one called Address Space Layout Randomization. “This technology makes it more difficult for an attacker to guess the location of code, which is required for them to build a successful exploit,” Adrian Ludwig writes. Depending on what city you are in and where you’re trying to go, it might be possible but it’s certainly much more difficult.)” Well, if your wireless carrier was real cool, it could create a signature for Stagefright-based attacks, and block those threats on its network.

Retail sales of Internet-connected wearable devices, including watches and eyeglasses, will reach $19 billion by 2018, compared with $1.4 billion this year, Juniper Research said in an Oct. 15 report.

Here you can write a commentary on the recording "Stagefright: Everything you need to know about Google’s Android megabug".

* Required fields
Twitter-news
Our partners
Follow us
Contact us
Our contacts

dima911@gmail.com

ICQ: 423360519

About this site