Tuesday, September 15, 2015

It Only Takes One Text To Hack 950 Million Android Phones



Six critical vulnerabilities have left 95 per cent of Google Android phones open to an attack delivered by a simple multimedia text, a mobile security expert warned. In some cases, where phones parse the attack code prior to the message being opened, the exploits are silent and the user would have little chance of defending their data. The vulnerabilities are said to be the worst Android flaws ever uncovered.
Joshua Drake, from Zimperium zLabs, who reported the bugs in April this year, said whilst Google has sent out patches to its partners, he believes most manufacturers have not made fixes available to protect their customers. “All devices should be assumed to be vulnerable,” Drake, vice president of platform research and exploitation at Zimperium, told FORBES. He believes as many as 950 million Android phones could be affected, going on figures suggesting there are just over 1 billion in use. Only Android phones below version 2.2 are not affected, he added.
The weaknesses reside in Stagefright, a media playback tool in Android. They are all “remote code execution” bugs, allowing malicious hackers to infiltrate devices and exfiltrate private data. All attackers would need to send out exploits would be mobile phone numbers, Drake noted. From there, they could send an exploit packaged in a Stagefright multimedia message (MMS), which would let them write code to the device and steal data from sections of the phone that can be reached with Stagefright’s permissions. That would allow for recording of audio and video, and snooping on photos stored in SD cards. Bluetooth would also be hackable via Stagefright.

Depending on the MMS application in use, the victim might never know they had even received a message. Drake found that when the exploit code was opened in Google Hangouts it would “trigger immediately before you even look at your phone… before you even get the notification”. It would be possible to delete the message before the user had been alerted too, making attacks completely silent, he added.
“I’ve done a lot of testing on an Ice Cream Sandwich Galaxy Nexus… where the default MMS is the messaging application Messenger. That one does not trigger automatically but if you look at the MMS, it triggers, you don’t have to try to play the media or anything, you just have to look at it,” Drake added. Additional exploits could be “chained”, such as those that ”escalate privileges”, allowing wider access across the phone. Drake said those exploits “are fairly easy to come by on Android, there are quite a few that are public”.
The researcher noted that on some older devices, including the Samsung S4 and the LG Optimus Elite, the exploitable process runs with system-level privileges, providing wide access across the phone. “I’m totally confused why you would do this… with that you can do really nasty stuff already, you don’t really need privilege escalation.”
Drake sent several vulnerability reports along with patches to Google on 9 April. Just a day later, according to Drake, Google confirmed the patches were accepted and would be included in a future release. He reported a second set of issues to Google on 4 May, and on 8 May Google confirmed patches were being scheduled. A total of seven vulnerabilities have fixes ready.
In an emailed statement sent to FORBES, Google thanked Drake for reporting the issues and supplying patches, noting its manufacturer partners should deploy in the coming weeks and months. “Most Android devices, including all newer devices, have multiple technologies that are designed to make exploitation more difficult. Android devices also include an application sandbox designed to protect user data and other applications on the device,” a spokesperson said.
At the time of publication, the spokesperson had not responded to a question on the availability of a patch for Google’s own Nexus phones. Drake said the Nexus 6 running the latest firmware was patched against some of the issues, but not all, though he couldn’t be more specific. He said devices running Android versions prior to Jelly Bean, version 4.1, representing roughly 100 million devices, have “inadequate exploit mitigations” that wouldn’t prevent Stagefright attacks over MMS.
Manufacturers are typically sloth-like in getting patches out to users. FORBES contacted the biggest Android partners – HTC HTCCY +%, LG, Lenovo , Motorola, Samsung and Sony – to ask if or when patches would be made available. None had responded at the time of publication. “Collecting and compiling such information from various parties is an open problem. Unfortunately they are not very forthcoming,” noted Drake, co-author of the Android Hacker’s Handbook.
He had kind words for one Android phone manufacturer, however, Silent Circle, the creator of the privacy-focused Blackphone smartphone, which has applied Drake’s fixes. And Mozilla, whose Firefox browser uses Stagefright to run video, was praised for quickly patching as of version 38.
All the bugs have been provided CVE numbers, used to record and identify vulnerabilities. They include: CVE-2015-1538, CVE-2015-1539, CVE-2015-3824, CVE-2015-3826, CVE-2015-3827, CVE-2015-3828, CVE-2015-3829. When the disclosure lands today, security professionals and malicious hackers alike will have enough information to get cracking on exploits. Manufacturers have been urged to make haste in addressing the issues.
Even more information will be made available by Drake, who deserves much credit for his work in finding and fixing the issues from his extraordinary phone lab containing a “Droid Army”, when he explains his findings in full at the Black Hat and Deacon security events taking place in Las Vegas next week.
UPDATE: HTC sent the following response: “Google informed HTC of the issue and provided the necessary patches, which HTC began rolling into projects in early July. All projects going forward contain the required fix.” FORBES has asked HTC if that actually means its customers can download the patch.
FORBES understands Google has not sent out patches for Nexus owners. Indeed, it seems thus far that not a single manufacturer has shipped a fix for users.
Google confirmed the Nexus updates would not be rolling out until next week. “As part of a regularly scheduled security update, we plan to push further safeguards to Nexus devices starting next week. And, we’ll be releasing it in open source when the details are made public by the researcher at Black Hat,” a spokesperson said.
Meanwhile, Cyanogen Mod, the alternative Android operating system, has released fixes


No comments:

How to Use an Android device as Second Monitor for your PC or MAC

How to Use an Android device as Second Monitor for your PC or MAC!! 💠 The method is quite simple and easy and you just need to follow...