Stagefright!

Oh no do you have “Stagefright”? No not that paralyzing fear of talking in front of a group of people. Stagefright is the latest in a series of Android OS vulnerabilities. Basically, if you have Android OS you need to assume you are vulnerable until you are sure you are not.

What is “Stagefright”?

Stagefright is the name for a system service in Android that processes various media types. Researcher Joshua J. Drake with Zimperium zLabs discovered that Stagefright could be exploited through a variety of methods, some which require no user interaction. This vulnerability is actually in the Android OS architecture and so your security applications and even Google Play Store cannot detect “bad behaviors”.

ARE YOU VULNERABLE? TEST YOUR DEVICE

Test your device with this tester from the researchers who discovered the vulnerability
https://play.google.com/store/apps/details?id=com.zimperium.stagefrightdetector
or if you prefer a company you know Looksmart has a Stagefright checker as well.
Just go to your Google Play Store.

What does it do?

The simple layman’s version is that the attacker sends a media file or text using Google Hangouts or SMS. Your phone receives the message. The message contains a malicious script that executes on delivery in most cases (in some you have to just click on it). In no case do you actually have to download anything. Once executed the attacker has a series of escalated privileges, which allows them access to most of or all of your devices. There are currently 11+ attack surfaces known.

The current known attack surface for Stagefright, according to Zimperium are:

What do you do?

Well there is good news and bad news. The good news is there are two patches already completed and available to the ecosystem which will fix the issue.  This is great as sometimes patches for compromised software can take what seems like an endless amount of time to fix.

Why two patches?

One patch they thought closed the hole in the OS, but then someone found that there was still an issue and the attack could still be remotely executed, so there is a second patch. NOTE: since this is an OS architecture issue your standard security apps cannot protect you, so make sure you download BOTH of these fixes.

Author’s Note: The researchers who found and reported this vulnerability at Blackhat USA (Black hat USA), ZIMPERIUM, have assured me that once you close both holes (i.e. install both patches) your phone will be safe.

The bad news?

There is a delay between when the patches are created and when your service or phone provider rolls the patches and updates your OS. In addition, many older phones will never receive a patch. While some phone providers are working to fix this like Samsung who is working with its carriers to be able to roll out a set of patches every 30 days.

Right now these patches are still in process of being distributed and it could be more than a few weeks to a month before they are sent out.

Does that mean there is nothing you can do?

Not at all. There are security providers such as Ziperium who have developed programs that can help secure your phone whether you get the update or not. You can also change the prefetch settings on some devices to help prevent the execution of the malicious packets or use other preventative measures like a specialized OS. There is more about this at the end of this article.

*The discrepancy exists because Google has stated phones with certain configurations are not vulnerable, which would leave only 100 million phones. Yet, when tested my Samsung Galaxy 4S shows as vulnerable even though it should have this preventative code installed.

Why should I care? Why would anyone hack me?

The ease of which this vulnerability can be exploited means you do not have to be a direct target. Mass SMS programs can attack many devices at once. This means that your phone could potentially become a bot network or attacker itself. Distributing the SMS is very easy and can be done to hundreds of thousands of phones at one time.

If you use that phone for business, it could cause irreparable damage to your customers and clients for spamming them, not to mention winding up on the wrong side of spam laws in your country for these attacks.

So test your device, if you are vulnerable take steps to prevent your device from being a target and when the patches roll in – install them immediately. Also make sure you only download apps from an official Google Play Store, never from third party websites.

Full List of Protective and Preventative Actions.
For a full list from Zimperium on how to test, help prevent and protect your device check out their blog on the issue.