Summary: MMS messages can cause Android phones to decode video with libstagefright, which is a C++ library with vulnerabilities and insufficient sandboxing, leading to remote code execution without user interaction.<p>You can partially mitigate the risk by disabling auto-downloading of MMS messages in whichever app you have set to handle text messages, such as Messaging or Hangouts. THIS IS URGENT. While the precise details of the flaw have not been publicly disclosed, this disclosure is sufficient for a skilled person to rediscover the flaw, which means that there is a considerable risk that someone will systematically use it on all the phone numbers.
Google might have to rethink Android's updating strategy, if vulnerabilities like this keep coming out. Of course it would be nice to never have to update some devices, but it's not viable if they are: a) As complex as an Android phone and b) Connected to the internet/phone network.
> Drake speculates that Stagefright has its excessive permissions and Internet access to satisfy some types of digital rights management processing or streaming playback.<p>Goddamn you Hollywood.
These look to be the flaws:<p><a href="http://review.cyanogenmod.org/#/c/103276/" rel="nofollow">http://review.cyanogenmod.org/#/c/103276/</a><p><a href="http://review.cyanogenmod.org/#/c/103275/" rel="nofollow">http://review.cyanogenmod.org/#/c/103275/</a><p><a href="http://review.cyanogenmod.org/#/c/103274/" rel="nofollow">http://review.cyanogenmod.org/#/c/103274/</a><p><a href="http://review.cyanogenmod.org/#/c/103273/" rel="nofollow">http://review.cyanogenmod.org/#/c/103273/</a><p><a href="http://review.cyanogenmod.org/#/c/103272/" rel="nofollow">http://review.cyanogenmod.org/#/c/103272/</a>
Can I configure my phone to reject text messages with attached video? I'm thinking that would protect me from this exploit, plus, as a bonus, I wouldn't get text messages with attached video.<p>EDIT: I appreciate the replies. I was really wondering if I can disable video attachments without disabling other MMS features such as pictures and long messages (in Android 4.3).
I see a series of patches going on CyanogenMod (5 on 12.1 and only 3 on 12.0). Are there any more?<p>1. <a href="http://review.cyanogenmod.org/#/c/103267/" rel="nofollow">http://review.cyanogenmod.org/#/c/103267/</a><p>2. <a href="http://review.cyanogenmod.org/#/c/103268/" rel="nofollow">http://review.cyanogenmod.org/#/c/103268/</a><p>3. <a href="http://review.cyanogenmod.org/#/c/103269/" rel="nofollow">http://review.cyanogenmod.org/#/c/103269/</a><p>4. <a href="http://review.cyanogenmod.org/#/c/103270/" rel="nofollow">http://review.cyanogenmod.org/#/c/103270/</a><p>5. <a href="http://review.cyanogenmod.org/#/c/103266/" rel="nofollow">http://review.cyanogenmod.org/#/c/103266/</a>
From the article: <i>"The messaging app Hangouts instantly processes videos, to keep them ready in the phone's gallery."</i><p>Do you have to have the "Hangouts" app installed for this security vulnerability?<p>Google doesn't seem to have learned from Microsoft's decade of "autorun" problems.<p><i>It has been (0) days since the last C language buffer overflow vulnerability.</i>
For TextSecure users, will this be an issue? Usually I'm prompted before I download a image/video. Do you think I'm okay using TextSecure?
Why can't Google force vendors and carriers in the Play license terms to open source their kernel and flashing technology so XDA and friends can take care of updates?<p>That would be the cheapest solution.<p>edit: added benefit, everyone is free to load on his device whatever he chooses. Google should have gone that path way earlier.
Hangouts has an option under "SMS" to disable automatic retrieval of MMS messages. Can anyone confirm if this at least stops the instant loading of malware?
The real problem here is that video messages expose a huge attack surface to bad actors, very little of which has been security audited.<p>Automatically parsing videos before the user even chooses to interact with them makes it even worse - although I suspect most people would play a video sent to them over MMS even if it came from an unknown contact.
Now would be a good time for Apple to spread word of this disaster far and wide and to offer a free iPhone to anyone who brings in an Android phone for recycling.
There's hype, but is there any actual information about the vulnerability anywhere? Best I was able to find was this:<p><pre><code> http://blog.zimperium.com/the-biggest-splash-at-blackhat-and-defcon-2015/
</code></pre>
Even a CVE?
Is there a CVE? I'm not sure I understand, and this article only serves to confuse. Consider this line, at the beginning:<p>> In this attack, the target would not need to goof up — open an attachment or download a file that's corrupt.<p>Is this line simply erroneous?
and tens of millions of phones will never be patched<p>this is a nightmare bug that will haunt android forever<p>I can already imagine many celebrities getting hacked through it
What is the telecom law, if any, on text message delivery? It seems like the first network to announce "we block all stage fright export messages before they hit your phone" would win a huge PR coup (and they'd be able to do so much faster than trying to prep updates for every device they ever sold).
I disabled hangouts on a device I couldn't build from source, then got a constant alert it was trying to start again (Hangouts has unexpectedly stopped notice) so blacklisted it in startup scripts. Google gives you no option to remove it.
When a vulnerability like this becomes public, I always wonder - how many people knew about it before it became public, for how long and how much has it been exploited.<p>And I also wonder how many more critical exploits are known and used by 'hackers' or agencies today while we have this puffy feeling that our data/communication is private and secure ?<p>The conclusion I can draw from this: never trust that your phone is secure. Or computer for that matter.
The patches he submitted were to the kernel?<p>He says it will take a long time for those patches to make it to devices, but I question the validity of the assertion simply because Google has moved more and more into the Play framework. So, unless it is truly a kernel bug I would expect that it's fixable in the framework ore target application.<p>Please correct me if I am mistaken though.
I heard the radio bit and thought it sounded reasonable. The one explanation that was missing was how this exploit fits in with those apps' permissions. The article makes it sound as though the compromised apps get root, which shouldn't really be possible.
I know this will soon be patched, but would it be theoretically possible to run a root exploit that would root a phone and install a superuser management app? Root your phone with just a text. That would be an interesting exploit.
This is definitely a huge problem, but I only see it being a doomsday scenario <i>if</i> you're using the default SMS app that ships with your phone (and hence cannot be updated with a patch pushed by your OEM). Assuming you're using Hangouts or Messenger[0] (which is sorta like Hangouts without Gmail), however, as your default SMS app, you should be fine as soon as they patch it. And both of those apps are freely available to download, meaning you could always grab them once they're patched and start using them as your default SMS app if you're worried about it.<p>[0] <a href="https://play.google.com/store/apps/details?id=com.google.android.apps.messaging" rel="nofollow">https://play.google.com/store/apps/details?id=com.google.and...</a>
It's annoying that the media continues to incorrectly spin Android's <i>security updates</i> problem as somehow caused by its <i>open ecosystem</i> (which itself <i>barely</i> meets the definition of open) and implying that Apple's <i>closed system</i> is the solution.<p>GNU/Linux distros are free open source software, and don't suffer from these sorts of update problems. Many distros have special high-priority security update channels that are enabled by default.<p>Please, call this out if you have friends writing / spreading such nonsense.
"The bad guy creates a short video, hides the malware inside it and texts it to your number. "<p>How can you "text" a video? Texting uses.... text. The clue is in the name.<p>Not bothering to read the rest of the article.