Jump to content


950 million Android phones can be hijacked by malicious text messages


  • Please log in to reply
6 replies to this topic

#1 OFFLINE   securitybreach

securitybreach

    CLI Phreak

  • Forum Admins
  • 22,984 posts

Posted 27 July 2015 - 06:28 PM

Once again more FUD that can easily be disabled:

Quote


Almost all Android mobile devices available today are susceptible to hacks that can execute malicious code when they are sent a malformed text message or the user is lured to a malicious website, a security researcher reported Monday.

The vulnerability affects about 950 million Android phones and tablets, according to Joshua Drake, vice president of platform research and exploitation at security firm Zimperium. It resides in "Stagefright," an Android code library that processes several widely used media formats. The most serious exploit scenario is the use of a specially modified text message using the multimedia message (MMS) format. All an attacker needs is the phone number of the vulnerable Android phone. From there, the malicious message will surreptitiously execute malicious code on the vulnerable device with no action required by the end user and no indication that anything is amiss.


In a blog post published Monday, Zimperium researchers wrote:


A fully weaponized successful attack could even delete the message before you see it. You will only see the notification. These vulnerabilities are extremely dangerous because they do not require that the victim take any action to be exploited. Unlike spear-phishing, where the victim needs to open a PDF file or a link sent by the attacker, this vulnerability can be triggered while you sleep. Before you wake up, the attacker will remove any signs of the device being compromised and you will continue your day as usual—with a trojaned phone.


The vulnerability can be exploited using other attack techniques, including luring targets to malicious websites. Drake will outline six or so additional techniques at next month's Black Hat security conference in Las Vegas, where he's scheduled to deliver a talk titled Stagefright: Scary Code in the Heart of Android......

http://arstechnica.c...-text-messages/

Just uncheck "Automatically Retrieve MMS messages" in the settings on Messenger or Hangouts and you will be fine.

Posted Image

What irks me that instead of explaining how to disable this feature, they use these big scary titles.

Also, who still uses MMSs anyway?
Posted ImagePosted Image Posted Image
CNI Radio/G+ Profile/Configs/PGP Key/comhack π

"Do you begin to see, then, what kind of world we are creating? It is the exact opposite of the stupid hedonistic Utopias that the old reformers imagined. A world of fear and treachery and torment, a world of trampling and being trampled upon, a world which will grow not less but more merciless as it refines itself. Progress in our world will be progress toward more pain." -George Orwell, 1984

#2 OFFLINE   crp

crp

    Discussion Deity

  • Members
  • PipPipPipPipPipPipPipPipPipPipPipPip
  • 3,008 posts

Posted 27 July 2015 - 10:07 PM

lots and lots and lots of people use devices with MMS on. Your solution is not a solution for them.
Considering that CVE's have been assigned and Ggle has patched the vulnerability , I don't think it merits 'scare mongering'.
Especially when one considers Ggle putting out this:

Quote

“We thank Joshua Drake for his contributions. The security of Android users is extremely important to us and so we responded quickly and patches have already been provided to partners that can be applied to any device.”
“Most Android devices, including all newer devices, have multiple technologies that are designed to make exploitation more difficult,” it continued. “Android devices also include an application sandbox designed to protect user data and other applications on the device.”
but i do chuckle at the phrase "memory-safe languages like Java"

One can find out more from android central.
Of all tyrannies, a tyranny sincerely exercised for the good of its victims may be the most oppressive. It would be better to live under robber barons than under omnipotent moral busybodies. The robber baron's cruelty may sometimes sleep, his cupidity may at some point be satiated; but those who torment us for our own good will torment us without end for they do so with the approval of their own conscience. ~C. S. Lewis

#3 OFFLINE   securitybreach

securitybreach

    CLI Phreak

  • Forum Admins
  • 22,984 posts

Posted 28 July 2015 - 07:37 AM

And also: http://www.zdnet.com...-android-users/
Posted ImagePosted Image Posted Image
CNI Radio/G+ Profile/Configs/PGP Key/comhack π

"Do you begin to see, then, what kind of world we are creating? It is the exact opposite of the stupid hedonistic Utopias that the old reformers imagined. A world of fear and treachery and torment, a world of trampling and being trampled upon, a world which will grow not less but more merciless as it refines itself. Progress in our world will be progress toward more pain." -George Orwell, 1984

#4 OFFLINE   zlim

zlim

    It's me, plodr

  • Forum MVP
  • 7,010 posts

Posted 28 July 2015 - 09:51 AM

I don't associate Graham Cluely with FUD.
http://blog.lumensio...r-phone-number/

Quote

Even if you *want* to upgrade the operating system on your Android phone or tablet you might not be able to, because an update is only going to be available for those devices with the assistance and goodwill of Google, the device’s manufacturer and your mobile phone carrier.
Not every one can afford to keep buying new phones. There are lots of users out there using an outdated version of Android.
Liz
Registered Linux User # 401459
Posted Image

#5 OFFLINE   securitybreach

securitybreach

    CLI Phreak

  • Forum Admins
  • 22,984 posts

Posted 28 July 2015 - 10:01 AM

That far from the truth.. There are custom roms for almost every device that has been or will be sold:

XDA which is a mobile software development community of over 6.5 million members worldwide with sections for almost every device there is: http://forum.xda-developers.com/

XDA has been around since 2010
Posted ImagePosted Image Posted Image
CNI Radio/G+ Profile/Configs/PGP Key/comhack π

"Do you begin to see, then, what kind of world we are creating? It is the exact opposite of the stupid hedonistic Utopias that the old reformers imagined. A world of fear and treachery and torment, a world of trampling and being trampled upon, a world which will grow not less but more merciless as it refines itself. Progress in our world will be progress toward more pain." -George Orwell, 1984

#6 OFFLINE   securitybreach

securitybreach

    CLI Phreak

  • Forum Admins
  • 22,984 posts

Posted 28 July 2015 - 10:04 AM

Heck you can even run the latest version of Android on the first Android phone, the G1 or HTC Dream: http://www.lollipop-...dream-2665.html

Mind you, it will be a lot slower as that device only had 256mb of ram but it can be done.

If you really want to update your phone, there are instructions on each of the forum sections on XDA

Your also forgetting that this affects an application called Hangouts which is updated via the Play store so any phone that runs Google Hangouts can get the update.
Posted ImagePosted Image Posted Image
CNI Radio/G+ Profile/Configs/PGP Key/comhack π

"Do you begin to see, then, what kind of world we are creating? It is the exact opposite of the stupid hedonistic Utopias that the old reformers imagined. A world of fear and treachery and torment, a world of trampling and being trampled upon, a world which will grow not less but more merciless as it refines itself. Progress in our world will be progress toward more pain." -George Orwell, 1984

#7 OFFLINE   crp

crp

    Discussion Deity

  • Members
  • PipPipPipPipPipPipPipPipPipPipPipPip
  • 3,008 posts

Posted 29 July 2015 - 07:16 PM

and here is another one, though it seems to be the type that doesn't harvest , "just" annoys.
ANDROID-21296336
http://blog.trendmic...devices-silent/

if you use repackaged apps, might want to wait for the av vendors to catch up to this one.
Of all tyrannies, a tyranny sincerely exercised for the good of its victims may be the most oppressive. It would be better to live under robber barons than under omnipotent moral busybodies. The robber baron's cruelty may sometimes sleep, his cupidity may at some point be satiated; but those who torment us for our own good will torment us without end for they do so with the approval of their own conscience. ~C. S. Lewis




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users