Stagefright: new Android vulnerability dubbed ‘heartbleed for mobile’

A major security flaw in Android lets an attacker take control of a telephone really through sending a textual content message – and for the massive majority of Android customers, there’s no fix available but. Even the small variety of…

A major security flaw in Android lets an attacker take control of a telephone really through sending a textual content message – and for the massive majority of Android customers, there’s no fix available but.

Even the small variety of people the usage of Google’s very own line of Android telephones, sold underneath the Nexus brand, are prone to some of the outcomes of the trojan horse, according to Joshua Drake, the researcher who observed the flaw.

The weakness impacts part of the Android operating gadget, called Stagefright, that shall be telephone and capsules show media content. A maliciously crafted video can be used to deliver a program a good way to run at the telephone as quickly as it’s miles processed by way of Stagefright, potentially letting an attacker do whatever from study and delete statistics to spy on the owner via their digital camera and microphone.

Worse, Google’s messaging app Hangouts robotically pre-processes motion pictures when they’re received to cut down the postpone if the person wants to watch them without delay. That means that if the video is sent as an MMS message, it can take over the smartphone “earlier than the sound that you’ve obtained a message has even occurred,” Drake told NPR.

Despite Android’s default messaging app, all the consumer has to do is view the message to trigger the Stagefright vulnerability. In neither case does the consumer genuinely should play the video to be able to be the sufferer of the hack. But in more moderen versions of the Android running device, Google says that users are protected from the worst outcomes of the bug Sky Birds.

Chris Wysopal, the leader records security officer for app security experts Veracode, called the flaw “Heartbleed for cell”, referring to the massive computer virus that put masses of hundreds of web sites liable to hacking in April 2014.

Wysopal said bugs that severe “are extraordinarily uncommon and pose an extreme security difficulty for customers”.
Drake discovered info of the bug to Google in April, and supplied the agency with patches for the mistakes – in theory, sufficient to ensure that users are by no means put at danger from the bug. He negotiated a ninety-day embargo earlier than he went public, giving the corporation a long headway to ship a fix to users (Google’s in-house security researchers, mission 0, practice the same ninety-day caution to other carriers when they discover bugs in products from companies consisting of Apple and Microsoft).

however, the coder’s revelation has also highlighted a long-status security problem with Android, which is the speed with which fixes for software program mistakes clear out right down to give up users. Google, which makes the Android working gadget, has no electricity to push patches to the massive majority of Android telephones which might be produced by using other groups which include HTC, LG or Samsung, and those organizations regularly need to negotiate with cellular network operators to ship patches to the cease user.

On pinnacle of that, handiest the newest Android phones acquire patches, which means that that the Stagefright bug – which affects the Android running machine all the way returned to 2010’s version 2.2 – can also never be fixed for a massive quantity of telephones nonetheless in use.

Veracode’s Wysopal said that “it will likely be very interesting to look how Google responds to this. They’ll need to power the patch speedy and in a way that influences each affected device on the same time. Watching for handset manufacturers or providers to issue a patch would be difficult considering the fact that it may take a month or greater earlier than each birthday celebration issues a patch.

“This will leave a big window for an attacker to reverse engineer the first patch issued by means of whichever celebration to create a take advantage of that might affect any device. We’re in all likelihood to see Google pressure down a device that addresses the vulnerability for everyone.”

In an announcement, Google said: “This vulnerability was recognized in a laboratory placing on older Android devices, and as a way as we realize, no person has been affected. As quickly as we have been made privy to the vulnerability we took immediately action and despatched a fix to our partners to protect users.

“As part of a frequently scheduled security replace, we plan to push similarly safeguards to Nexus gadgets starting next week. And, we’ll be releasing it in open source whilst the info are made public through the researcher at BlackHat.”

Google rewarded Drake $1,337 for reporting the patches – even though if he’d waited more than one month, until the organization launched its professional worm bounty programme, he may want to have earned ten times that.

About the author

Related Posts