Stagefright on Android – Shocking exploit revealed

A shocking exploit has been revealed in Android providing a backdoor in to activate malicious code on your handset via MMS utilising the Stagefright Code Library responsible for handling Media.

Regardless of whether you read anything more of this article beyond this section, do the following:

Whichever app you use for messaging, go into the settings (most likely Advanced) and disable Auto-retrieval of MMS.

If you recognise any of the messaging interfaces in the gifs below, then follow the steps they’re showing.

turn-off-mms-auto-download-hangoutsturn-off-mms-auto-download-messenger
Google Hangouts, Google Messenger

If you’re using a Galaxy S6 (and probably most Lollipop running Samsung devices):
Messages app -> More -> Settings -> More settings -> Multimedia messages -> Auto retrieve

turn-off-mms-auto-download-galaxy-messages
Galaxy S6

Images lifted from this blog, and also by extension this guy.

If you don’t recognise your messaging client in the images above, then Google how to disable the auto-download/auto-retrieval of MMS messages on your phone. This applies whether you know what an MMS message is or not.

I’ll even wait while you do it.

Some time later….

Ok, now the details.

Stagefright is the part of the Android code library responsible for handling various media formats. It’s been around for years, and given the size of the Android codebase, it’s understandable that not every line has been reviewed.

One security researcher, Joshua J. Drake (@jduck), decided to delve into the depths of the code and has discovered what is to date the largest Android vulnerability, affecting as many as 95% of all Android devices out there. Every device running v2.2 (Froyo) onwards is susceptible, up to and including v5.1.1 (Lollipop).

While the detail is under wraps at present and due to be presented at Black Hat USA on 05/08/2015 and again 2 days later at DEF CON 23 on 07/08/2015, the synopsis is this: Sending an MMS with a malicious payload to any number can exploit the code in Stagefright.

Stagefright_example
Image lifted from this blog.

Google have acknowledged the vulnerability and patched it in the Android source code. jduck submitted the updates to the CyanogenMod codebase and the commits were made on 14th July, so current nightlies are also patched. That’s maybe 2 or 3 percent of the Android user base covered. What about the other 925 million users?

Over to you, Samsung

Name as many Samsung Android devices as you can. Galaxy S6, Galaxy Note 4, Galaxy Tab; those are the easy ones.

Perhaps something a little more obscure, the Samsung I8530 Galaxy Beam for example; the phone with a built in projector. Or even the Samsung Galaxy Beam2 (yes, they made another one!).

Still too easy? How about the LTE-sporting Samsung Galaxy Camera?

If you’re not an Apple patent lawyer, you’ll be forgiven if you don’t recognise the device in the header image for this article. It’s a Samsung Galaxy S. While it’s not Samsung’s first Android phone (that honour falls to the Samsung Galaxy), it’s the first Android device Samsung released which sold in the tens of millions and, much to the annoyance of Google, set the Galaxy brand up as synonymous with Android. When did you last see one being used? In tech terms, it’s old enough that it’s disappeared into obscurity, but any that are in use today are still affected by this bug.

Android has surpassed Windows as the most widely installed OS in the world, and rough estimates generally state Samsung as having sold nearly two-thirds of the 1 billion Android devices out in the wild. There are potentially 650 million Samsung devices out there, starting with the Galaxy S, all with this bug. Knowing how long it usually takes an OS update to appear for even the flagship device, that’s a lot of devices which are never going to see a patch and, if they do, you can bet good money it won’t be before 5th August when the details of this exploit are released.

Oh, and Mozilla

There’s a similar issue with versions of Firefox prior to v38 on all platforms, which has already been patched as well. This one you can update to right now.

Take care of yourselves and each other

For the next week, make sure you take your role as family/office tech-support a little further than usual. Prod them to update Firefox, and let people know how they can at least disable MMS auto-retrieval on their Android device. It’s not a code fix, that can only come from the OEM (and will likely be held up even longer by the mobile networks), but it’s one more line of defence for something that with the rise of Hangouts & WhatsApp, a generation is forgetting exists.

Sources: Ars Technica, Zimperium, Twilio.

MD

Classified. No, seriously. Well maybe not quite that seriously, but definitely seriously enough that ... [redacted]