Jump to content

950 million Android phones can be hijacked by malicious text messages


securitybreach

Recommended Posts

securitybreach

Once again more FUD that can easily be disabled:

 

Almost all Android mobile devices available today are susceptible to hacks that can execute malicious code when they are sent a malformed text message or the user is lured to a malicious website, a security researcher reported Monday.

 

The vulnerability affects about 950 million Android phones and tablets, according to Joshua Drake, vice president of platform research and exploitation at security firm Zimperium. It resides in "Stagefright," an Android code library that processes several widely used media formats. The most serious exploit scenario is the use of a specially modified text message using the multimedia message (MMS) format. All an attacker needs is the phone number of the vulnerable Android phone. From there, the malicious message will surreptitiously execute malicious code on the vulnerable device with no action required by the end user and no indication that anything is amiss.

 

 

In a blog post published Monday, Zimperium researchers wrote:

A fully weaponized successful attack could even delete the message before you see it. You will only see the notification. These vulnerabilities are extremely dangerous because they do not require that the victim take any action to be exploited. Unlike spear-phishing, where the victim needs to open a PDF file or a link sent by the attacker, this vulnerability can be triggered while you sleep. Before you wake up, the attacker will remove any signs of the device being compromised and you will continue your day as usual—with a trojaned phone.

 

The vulnerability can be exploited using other attack techniques, including luring targets to malicious websites. Drake will outline six or so additional techniques at next month's Black Hat security conference in Las Vegas, where he's scheduled to deliver a talk titled Stagefright: Scary Code in the Heart of Android......

http://arstechnica.c...-text-messages/

 

Just uncheck "Automatically Retrieve MMS messages" in the settings on Messenger or Hangouts and you will be fine.

 

SaBShYy.png

 

What irks me that instead of explaining how to disable this feature, they use these big scary titles.

 

Also, who still uses MMSs anyway?

  • Like 1
Link to comment
Share on other sites

lots and lots and lots of people use devices with MMS on. Your solution is not a solution for them.

Considering that CVE's have been assigned and Ggle has patched the vulnerability , I don't think it merits 'scare mongering'.

Especially when one considers Ggle putting out this:

“We thank Joshua Drake for his contributions. The security of Android users is extremely important to us and so we responded quickly and patches have already been provided to partners that can be applied to any device.”

“Most Android devices, including all newer devices, have multiple technologies that are designed to make exploitation more difficult,” it continued. “Android devices also include an application sandbox designed to protect user data and other applications on the device.”

but i do chuckle at the phrase "memory-safe languages like Java"

 

One can find out more from android central.

  • Like 1
Link to comment
Share on other sites

I don't associate Graham Cluely with FUD.

http://blog.lumension.com/10402/gaping-hole-in-android-lets-hackers-break-in-with-just-your-phone-number/

 

Even if you *want* to upgrade the operating system on your Android phone or tablet you might not be able to, because an update is only going to be available for those devices with the assistance and goodwill of Google, the device’s manufacturer and your mobile phone carrier.
Not every one can afford to keep buying new phones. There are lots of users out there using an outdated version of Android.
  • Like 1
Link to comment
Share on other sites

securitybreach

That far from the truth.. There are custom roms for almost every device that has been or will be sold:

 

XDA which is a mobile software development community of over 6.5 million members worldwide with sections for almost every device there is: http://forum.xda-developers.com/

 

XDA has been around since 2010

Link to comment
Share on other sites

securitybreach

Heck you can even run the latest version of Android on the first Android phone, the G1 or HTC Dream: http://www.lollipop-...dream-2665.html

 

Mind you, it will be a lot slower as that device only had 256mb of ram but it can be done.

 

If you really want to update your phone, there are instructions on each of the forum sections on XDA

 

Your also forgetting that this affects an application called Hangouts which is updated via the Play store so any phone that runs Google Hangouts can get the update.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...