Google and Samsung issued preemptive strikes on a bad day for Android phones, promising better and faster security patches before mainstream media starts to freak out over a Black Hat presentation on Stagefright, on “scary” vulnerabilities in about 95% of Android phones that could allow them to be hacked just by receiving a text message.
It’s not just any text message, but a specially crafted multimedia message; yet Joshua Drake, from mobile security firm Zimperium, believes about 950 million Android phones could be pwned by receiving such a message. An attacker only needs to know the victim’s phone number to hack their phone; the victim doesn’t necessarily need to open the message or multimedia file. The bugs are in Android’s “Stagefright” media playback engine which was introduced back in the 2010 release of Froyo, aka Android 2.2. The name “Stagefright” stuck for exploiting the “mother of all Android vulnerabilities.”
So today Google announced monthly over-the-air updates coming to Nexus devices:
Nexus devices have always been among the first Android devices to receive platform and security updates. From this week on, Nexus devices will receive regular OTA updates each month focused on security, in addition to the usual platform updates. The first security update of this kind began rolling out today, Wednesday August 5th, to Nexus 4, Nexus 5, Nexus 6, Nexus 7, Nexus 9, Nexus 10, and Nexus Player. This security update contains fixes for issues in bulletins provided to partners through July 2015, including fixes for the libStageFright issues. At the same time, the fixes will be released to the public via the Android Open Source Project. Nexus devices will continue to receive major updates for at least two years and security patches for the longer of three years from initial availability or 18 months from last sale of the device via the Google Store.
That’s peachy if your Android is a Nexus, but what if it’s not? According to Zimperium, Android phones from the following vendors are vulnerable to Stagefright:
Today Samsung said it “will implement a new Android security update process that fast tracks the security patches over the air when security vulnerabilities are uncovered. These security updates will take place regularly about once per month.” The company fast-tracked security updates to Galaxy devices vulnerable to Stagefright and is working with mobile carriers and partners. While that is good news, it seems like a snail could crawl 50 miles through molasses before mobile carriers can tweak fixes and push them out to vulnerable phones.
Recent security issues have Samsung “rethinking the approach to getting security updates to our devices in a more timely manner.” Dong Jin Koh, Executive Vice President and Head of Samsung Mobile Research and Development Office, added, “Since software is constantly exploited in new ways, developing a fast response process to deliver security patches to our devices is critical to keep them protected. We believe that this new process will vastly improve the security of our devices and will aim to provide the best mobile experience possible for our users.”
The timing of Google and Samsung’s announcements coincides with Drake’s Black Hat USA presentation on Stagefright: Scary Code in the Heart of Android.
Regarding Stagefright, Zimperium previously explained:
A fully weaponized successful attack could even delete the message before you see it. You will only see the notification. These vulnerabilities are extremely dangerous because they do not require that the victim take any action to be exploited. Unlike spear-phishing, where the victim needs to open a PDF file or a link sent by the attacker, this vulnerability can be triggered while you sleep. Before you wake up, the attacker will remove any signs of the device being compromised and you will continue your day as usual – with a trojaned phone.
You and I might have heard about Stagefright, but many non-security-obsessed people will start to hear about it via mainstream media’s Black Hat coverage. Hopefully Google and Samsung’s efforts will result in over the air patches actually reaching vulnerable Androids in a faster timeframe than it takes for bad guys to start exploiting the flaws. In the interim, Zimperium posted a variety of steps you should take to protect yourself from Stagefright: Keep your device updated; disable auto-fetching of MMS for your messaging apps and Google Hangout; and turn off multimedia messages auto retrieve.
Apple users shouldn’t feel too smug about security as Malwarebytes discovered a zero-day flaw in OS X; it's the DYLD bug that was previously disclosed by security researcher Stefan Esser and it's now being exploited in the wild. Attackers can exploit the hole to remotely run a program using admin rights on a Mac and then access the rest of the OS. Until Apple patches the privilege escalation flaw, and it plans to in Mac OS X 10.10.5, OS X users can and should download Esser’s fix. Tomorrow at Black Hat, security researchers will tell the world about remotely infecting Mac firmware with Thunderstrike 2, which even reformatting won’t fix.