Stagefright vulnerability (disable MMS auto-download)

[electricpete]

This is all over the android news sites today. Example link here.

Although the patches won't be out for awhile, I saw one article that recommended (in the meantime) doing the following:

1-disable auto download of MMS (in your sms app settings)
2-don't open MMS from unknown senders.

Those sound like good ideas to me.

 

[AppleUser]

http://www.npr.org/sections/alltech...-phones-would-let-hackers-in-with-just-a-text

 

[AZgl1500]

I keep DATA turned OFF on my phone period.
the only time it is turned on is if I am away from home and WiFi is not available.

no data, no MMS

I also block SMS/MMS from unknown numbers w/o even looking at them

 

[EarlyMon]

Not affected -

Blackphone

CM 12 and 12.1, up to date with current nightlies

CM 11 coming this weekend

HTC has rolled the fix into all projects as of early July, look for updates

Customers of the security firm that found the vulnerability

Everyone who follows @electricpete's advice


Number of times this has been used against people so far -

Zero


No report has been made of what happens with a rooted phone where attempts to access the system are trapped and reported to the user with the software holding until user permission is given. The last two (and only) major exploits that got around that were fixed with Xposed modules.

The exploit has only been reported with regards to unrooted Android.

 

[scary alien]

From what I've read, the vulnerability has been around for quite some time (back when "stage fright" was first released).

The vulnerability itself isn't malware--there apparently hasn't been anything specifically written for this as Joshua Drake has mentioned.

The full details about this won't be revealed until the upcoming Black Hat Conference.

Those with recent Nexus devices will certainly get the patches sooner than later given how much faster the OTAs are made available.

Can't tell you what the manufacturers and carriers will do, but it obvious that older devices ("non-recent" which will be defined by each carrier/manufacturer) likely won't see any patches for this as they won't for any other patches--but you never know.

 

[lunatic59]

In SMS settings in Lollipop uncheck auto retrieve MMS. Thanks @electricpete

 

[EarlyMon]

HTC pre-Lollipop, same thing:

 

[Unforgiven]

It is the same setting in Google Messenger under advanced. It also seems that anyone that has used email in the last ten years should have the common sense to not automatically open attachments from people you don't know.

 

[lunatic59]

It also seems that anyone that has used email in the last ten years should have the common sense to not automatically open attachments from people you don't know.

As someone who works daily in IT, I can honestly say ...

Spoiler

 

[EarlyMon]

So far, NPR has been good about providing updates to the story.

Here's the original posting that ALL stories are derived from -

http://blog.zimperium.com/experts-found-a-unicorn-in-the-heart-of-android/

 

[Blu8]

I'd also like to note that those running custom ROM's should be seeing that patch in the very near future, what with Google adding it to the AOSP source. I know for sure that DU has added the patch to their source. However, I'm not endorsing custom ROM's to deal with this vulnerability, that's rather radical and shouldn't be your only reason for rooting and flashing.

 

[zuben el genub]

Thanks to all for some common sense answers. A lot of people are totally panicked.

 

[Unforgiven]

So far, NPR has been good about providing updates to the story.

I was the NPR story I caught a link to yesterday. Not a normal news source for me and certainly not one for Android related stuff but it was pretty thorough.

Thanks to all for some common sense answers. A lot of people are totally panicked.

I tend to read articles like these with a touch of skepticism thanks to the sensationalism prevalent in news nowadays. Most often the sky isn't falling and a little common sense is all that's needed.

 

[EarlyMon]

A real part of the problem with prevention is right here in this story.

The security firm that found this has a product to safeguard their customers. That's good.

They let Google know. That's good.

Manufacturers and carriers are responding. That's good.

No such attacks to date. That's good.

Very few of the news sources is focusing on what you can do to protect yourself. Not good.

The conference will publicly explain how to build the threat.

I don't pretend to know the answer. We need information to protect ourselves.

But my gut tells me that something is wrong.

 

[codesplice]

I tend to read articles like these with a touch of skepticism thanks to the sensationalism prevalent in news nowadays. Most often the sky isn't falling and a little common sense is all that's needed.

I toss a dash of skepticism in there particularly when a mobile security vendor is reporting the vulnerability, and includes helpful remediation tips such as:

Remediation:

Zimperium’s advanced Enterprise Mobile Threat Protection solution, zIPS, protects its enterprise customers from Stagefright vulnerability.

Also, there's a nice article over at Android Central which discusses the vulnerability from a general user perspective:

So should I worry or not?
Make no mistake about it: This is a bad exploit. And it further highlights the difficulties of getting updates pushed out through the manufacturer and carrier ecosystem. On the other hand, it's a potential avenue for exploit that apparently has been around since Android 2.2 — or basically the past five years. That either makes you a ticking time bomb, or a benign cyst, depending on your point of view.

And for its part, Google told Android Central that there are multiple mechanisms in place to protect users.

We thank Joshua Drake for his contributions. The security of Android users is extremely important to us and so we responded quickly and patches have already been provided to partners that can be applied to any device.

Most Android devices, including all newer devices, have multiple technologies that are designed to make exploitation more difficult. Android devices also include an application sandbox designed to protect user data and other applications on the device.

This is an exploit that needs to be fixed, sooner rather than later — if it hasn't been already. But it's not one that's going to keep us up at night. There are a lot of unknowns, and unfortunately they're being ignored for the sake of scary-sounding storytelling.

Also also, according to Android Police, Google is rolling updates to Nexus devices next week and pushing the fix to AOSP once the details are announced at the BlackHat conference (don't want to steal the presenter's thunder I guess?):

We've received a statement attributed to a Google spokesperson [emphasis ours]:

This vulnerability was identified in a laboratory setting on older Android devices, and as far as we know, no one has been affected. As soon as we were made aware of the vulnerability we took immediate action and sent a fix to our partners to protect users...

As part of a regularly scheduled security update, we plan to push further safeguards to Nexus devices starting next week. And, we'll be releasing it in open source when the details are made public by the researcher at BlackHat.

 

[EarlyMon]

Stagefright came along in Froyo 2.2 and this story says that all devices since are affected.

Did they test that or derive it?

Remember the WebView scare that was also reported to have started in 2.2 but it turned out didn't get introduced until ICS 4.0?

I can understand that until more facts surface, it's best to assume the worst.

If a surrogate test is also announced at the conference, I'm going to test my device collection.

Stagefright along with the rest of Android has been the target of frequent changes all along.

Btw - a note on being safe if mobile data is off, just use wifi - yeah, maybe not.

A number of carriers use wifi for MMS.

Mitigate the risk at the source, not the data supply type ok.

 

[Masterchief87]

So, could someone with the knowledge turn this vulnerability into a way to root devices that are otherwise unrootable? Like could the code be altered so that it installs a custom recovery instead of trying to steal your data or whatever else it may try to do?
Maybe this could be turned into the next towelroot lol.

 

[Unforgiven]

So, could someone with the knowledge turn this vulnerability into a way to root devices that are otherwise unrootable? Like could the code be altered so that it installs a custom recovery instead of trying to steal your data or whatever else it may try to do?
Maybe this could be turned into the next towelroot lol.

Interesting thought, I guess we'll know after the details are released. Judging by what I've read (I'm no hacker or rom developer) about its capabilities I don't see why not.

 

[bcrichster]

Wouldn't it have been prudent to use that as a Root exploit?

 

[Masterchief87]

I for one think that would be great if I could just copy a recovery image to the root of my internal storage and install it by sending myself an mms
Edit: My phone has system write protection so the system partition can only be mounted rw from within recovery

 

[codesplice]

So the "security researcher" isn't wasting anytime in monetizing this vulnerability...

 

[Thom]

Two things ...

I don't have that auto MMS download message in any SMS app ...

chompSMS
Message+
Messaging
Messenger
Textra​

... curious.

The referenced article in the OP was The Verge.

Is this issue real?

... Thom

 

[Unforgiven]

Two things ...

I don't have that auto MMS download message in any SMS app ...

chompSMS
Message+
Messaging
Messenger
Textra​

... curious.

The referenced article in the OP was The Verge.

Is this issue real?

... Thom

Yes it is real. It isn't as devastating as the mouth-breathing blogosphere would have you believe, especially if you aren't using hangouts for MMS messaging. You may need to look under advanced settings for the option to not automatically load MMS content.

 

[Thom]

Thanks.

It is in four messaging apps I have installed ...
chompSMS (if auto save to gallery is the option)
Messaging
Messenger
Textra (if auto save to gallery is the option)

It is not in one of the messaging apps I have installed ...
Message+

I'm in a meeting with 40 local business leaders tomorrow morning. What should I tell them (if anything) about this issue?

(Correction marked.)

... Thom

 

[Unforgiven]

Unlike the news reports, the sky isn't falling. Check their messaging app and if possible turn off auto downloading MMS. Otherwise, like email attachements, don't blindly open ones from people you don't know.