Serious Android Flaw: Devices At RiskStagefright Flaw Affects 950M Devices, But Will OEMs Patch?
A serious set of security flaws in the Android operating system could be abused by attackers to seize control of millions of mobile devices simply by sending a specially crafted multimedia text, a security researcher warns. Furthermore, while related patches have been prepped and shared with Google, because many device manufacturers do not update older devices, millions of users' devices may permanently remain at risk.
Current estimates suggest there are 1 billion Android devices in use, of which 95 percent are likely vulnerable to these newly disclosed "Stagefright" flaws, warns Joshua Drake, who's vice president of research and exploitation at Zimperium zLabs - part of security provider Zimperium Mobile Security - and co-author of "Android Hacker's Handbook." In a blog post, Zimperium reports that Drake discovered "multiple remote code execution vulnerabilities that can be exploited using various methods," including a potential spear-phishing attack that could be used to seize control of the phone with no interaction, after which the attacker could automatically delete the related signs of compromise.
"This happens even before the sound that you've received a message has even occurred," Drake tells NPR. "That's what makes it so dangerous. [It] could be absolutely silent. You may not even see anything."
Drake says most Android and derivative devices that run version 2.2 and onwards of the operating system are vulnerable to related attacks. Devices running "Jelly Bean" - versions 4.1 to 4.3.1 - of Android, which accounts for about 10 percent of all such devices, are at the worst risk due to inadequate exploit mitigations, he adds.
Flaws in Stagefright Media Library
The flaws are present in the Android media library known as Stagefright, which processes several popular media forms, according to Zimperium. The company has so far not released full technical details for the flaw, which it says it demonstrated in its lab but not seen exploited in the wild. But the company plans to provide further technical details next week, at the August 2015 Black Hat security conference in Las Vegas.
Within 48 hours of discovering the vulnerabilities in April, Zimperium says it developed related patches and shared them with Google, which maintains the open source Android operating system.
But security experts say it's not clear how many users will ever see related fixes from their device manufacturers. "I know there are patches for Stagefright flaw, but are users going to get them?" asks Surrey University computer-security expert Alan Woodward via Twitter. "Think about it - 950m users."
Although Google says it has shared related patches with Android device vendors and Internet service providers, OEMs have yet to craft and ship related updates to the carriers that sell their devices. Part of the related challenge is that OEMs customize Android for their smartphones and tablets, and thus must code and test related updates for each device, rather than just distributing the Google-supplied fix directly.
A T-Mobile spokesman tells Information Security Media Group that the cellular provider is aware of the problem, but waiting for fixes from relevant original equipment manufacturers. "We received notice from Google about the Stagefright vulnerability, but have identified no issues relating to it at this time," says the spokesman for T-Mobile, which is an Internet service provider that markets smartphones. "These kinds of security fixes are usually released by our third-party device partners, so we're working with them to ensure those security updates have been deployed."
Why Android Patches Lag
Economically speaking, releasing patches can be time-consuming and costly for vendors and ISPs, says Andrew Hoog, chief executive of the mobile security company NowSecure. "Google can patch them incredibly quickly and [the patches] can sometimes sit forever and never make it out to a phone," says Hoog, whose firm discovered the SwiftKey flaw in Samsung smartphones earlier this year, which still remains unpatched. The SwiftKey flaw, only found in Samsung phones, could allow an attacker to "update" devices with arbitrary code, essentially reprogramming them.
"There is a lot of money that goes to [testing], to make sure that when they push out this little update that's supposed to fix that one problem, that it doesn't break your phone, that your MMS still works, that the phones don't overheat," Hoog says.
Andrew Hoog, CEO of NowSecure, explains why ISPs don't patch every Android vulnerability.
Warning: Silent Text Attack
But such delays will pose information security concerns for the vast majority of Android users. That's because unlike most other mobile-device vulnerabilities that have been discovered to date, the Stagefright flaws don't require user interaction, and can instead be automatically - and silently - exploited by an attacker, Zimperium's Drake warns. Indeed, attackers only need a user's mobile-phone number to remotely take control of the device through a specially crafted media file delivered by text message.
"A fully weaponized successful attack could even delete the message before you see it," Zimperium says. "Unlike spear-phishing, where the victim needs to open a PDF file or a link sent by the attacker, this vulnerability can be triggered while you sleep. Before you wake up, the attacker will remove any signs of the device being compromised and you will continue your day as usual - with a Trojaned phone."
But historically speaking, after new Android vulnerabilities get discovered, oftentimes as few as one in five existing Android users' devices receive related patches, Zimperium warns. Indeed, some OEMs regularly update their Android devices, while others have a poor track at issuing timely updates - if at all (see 930 Million Android Devices at Risk?).
For the Stagefright flaw, furthermore, related fixes would require more than just a simple patch, and instead require affected devices' firmware to be updated. "Such updates for Android devices have traditionally taken a long time to reach users," Zimperium says. "Devices older than 18 months are unlikely to receive an update at all."
Until such fixes arrive, threat-research firm iSight Partners, in a research note, recommends avoiding the Google Hangouts app. "Until patches are made available and applied, users can mitigate the risk by not using Google Hangouts to receive text messages or opening text messages from unknown contacts." Tod Beardsley, the technical lead for the open source penetration testing framework Metasploit, which is maintained by security vendor Rapid7, also notes that disabling auto-retrieval of Multimedia Messaging Service, or MMS, messages will also mitigate some - but not all - of the flaws found by Drake.
Encrypted communications specialist Frederic Jacobs at Open Whisper Systems says that anyone who's worried about Stagefright can use an app such as the free TextSecure to send encrypted communications. "TextSecure is a drop-in replacement for a text messaging app. If the other person is using TextSecure, it will send encrypted messages via a data channel and if the person is not using it, it will fall back on SMS/MMS," he tells Information Security Media Group. "Installing TextSecure and not clicking through warnings should mitigate the vulnerability."
Executive Editor Mathew J. Schwartz also contributed to this story.