Atticusblog
Android
Stagefright: new Android vulnerability dubbed ‘heartbleed for mobile’

A major security flaw in Android lets an attacker take control of a telephone really through sending a textual content message – and for the massive majority of Android customers, there’s no fix available but. Even the small variety of…

A major security flaw in Android lets an attacker take control of a telephone really through sending a textual content message – and for the massive majority of Android customers, there’s no fix available but.

Even the small variety of people who use Google’s very own line of Android telephones, sold underneath the Nexus brand, are prone to some of the outcomes of the trojan horse, according to Joshua Drake, the researcher who observed the flaw.

heartbleed for mobile
The weakness impacts part of the Android operating gadget, called Stagefright, that shall be telephone and capsules show media content. A maliciously crafted video can be used to deliver a program a good way to run at the telephone as quickly as it’s miles processed by way of Stagefright, potentially letting an attacker do whatever from study and delete statistics to spy on the owner via their digital camera and microphone.

Worse, Google’s messaging app Hangouts robotically pre-processes motion pictures when they’re received to cut down the postpone if they want to watch them without delay. That means that if the video is sent as an MMS message, it can take over the smartphone “earlier than the sound that you’ve obtained a message has even occurred,” Drake told NPR.

Despite Android’s default messaging app, all consumers have to do is view the message to trigger the Stagefright vulnerability. In neither case does the consumer genuinely play the video to be able to be the hack’s sufferer. But in more moderen versions of the Android running device, Google says that users are protected from the worst outcomes of the bug Sky Birds.

The leader, Chris Wysopal, a records security officer for app security experts Veracode, called the flaw “Heartbleed for cell,” referring to the massive computer virus that put masses of hundreds of websites liable to hacking in April 2014.

Wysopal said bugs that severe “are extraordinarily uncommon and pose an extreme security difficulty for customers.”

Drake discovered the bug’s info to Google in April and supplied the agency with patches for the mistakes – in theory, sufficient to ensure that users are by no means put in danger from the bug. He negotiated a ninety-day embargo earlier than he went public, giving the corporation a long headway to ship a fix to users (Google’s in-house security researchers, mission 0, practice the same ninety-day caution to other carriers when they discover bugs in products from companies consisting of Apple and Microsoft).

However, the coder’s revelation has also highlighted a long-status security problem with Android, which is how fixes for software program mistakes clear out right down to give up users. Google, which makes the Android working gadget, has no electricity to push patches to the massive majority of Android telephones which might be produced by using other groups which include HTC, LG or Samsung, and those organizations regularly need to negotiate with cellular network operators to ship patches to the cease user.

On pinnacle of that, the handiest the newest Android phones acquire patches, which means that the Stagefright bug – which affects the Android running machine all the way returned to 2010’s version 2.2 – can also never be fixed for a massive quantity of telephones nonetheless in use.

Veracode’s Wysopal said that “it will likely be exciting to look how Google responds to this. They’ll need to power the patch speedy and in a way that influences each affected device at the same time. Watching handset manufacturers or providers issue a patch would be difficult because it may take a month or greater earlier than each birthday celebration issues a patch.

“This will leave a big window for an attacker to reverse engineer the first patch issued using whichever celebration to create a take advantage of that might affect any device. We’re in all likelihood to see Google pressure down a device that addresses the vulnerability for everyone.”

In an announcement, Google said: “This vulnerability was recognized in a laboratory placing on older Android devices, and as a way, as we realize, no person has been affected. As quickly as we were made privy to the vulnerability, we immediately took immediate action and dispatched a fix to our partners to protect users.

“As part of a frequently scheduled security replace, we plan to push safeguards similarly to Nexus gadgets starting next week. And, we’ll be releasing it in open source whilst the info is made public through the researcher at BlackHat.”

Google rewarded Drake $1,337 for reporting the patches – even though he’d waited more than one month until the organization launched its professional worm bounty program, he may want to have earned ten times that.

About the author

Related Posts