By now, it is common knowledge that researcher Joshua Drake has discovered an exploitable flaw in Android’s source code, allowing hackers to remotely access your Android device through a simple text message.
Hackers can send a malicious file through a multimedia message (MMS) to any mobile number through Android’s user-friendly media playback engine, Stagefright. When the malicious file is downloaded onto your mobile device, hackers can remotely gain complete access – wiping the device clean and taking full control.
The issue here is that Android is an operating system, and unlike iOS, is not owned by any one company. The researcher from Zimperium labs contacted Google when the flaw was first detected and issued a fix; however, any patches must go through the manufacturers, leaving 950 million Android users susceptible to this type of attack.
And yet, while this is a serious security concern for Android users worldwide, is it the “heartbleed for mobile” that people are making it out to be?
No publicly confirmed cases.
Reactions to this flaw are erring on the side of extreme – one suggested solution includes blocking all text messages from unknown senders. Through all the media attention, it’s crucial to note that this hack has not been publicly detected outside of the Zimperium labs. A patch has been issued and of the top Android partners, 50% have already confirmed a fix will be in place by their next round of updates – HTC, Nexus, Samsung, Silent Circle.
Same old story?
It is worthwhile to remember that this is not the first time MMS has been used as a distribution mechanism for malicious apps and malware. It’s also not the only way to deliver this type of attack (such as via RCS). Before Android and iOS, Symbian smartphones were very popular. In 2005 a Symbian worm called Commwarrior used MMS to spread itself to hundreds of thousands of subscribers. Commwarrior became a significant problem in mobile networks in the Middle East – in some instances smartphones infected with Commwarrior were responsible for 10% of all MMS traffic. Since 2005, AdaptiveMobile’s Network Protection Platform (NPP) has been detecting and removing malicious MMS attachments. Through the years we’ve noted variations of Commwarrior in existence, though they’ve all exhibited the same traffic pattern and payload. MMS is still well used and as every phone with this functionality could be affected any MMS transmitted application exhibiting irregular sending patterns will be detected by our platform, enabling us to effectively protect our customers.
Mobile operators can protect subscribers.
Although this flaw is in the operating system’s source code, mobile operators are able to protect subscribers through their own security systems and by working to ensure the updates are pushed out in a timely manner. Individual operators have the capability – and responsibility – to effectively protect their subscribers against mobile security threats. By monitoring the networks, it is possible to detect and block any type of suspicious or malicious message.
Expected increase in coverage.
As we lead into two of the world’s largest security conferences – Defcon and Blackhat – we expect to notice an increase in coverage of security flaws or concerns.
It is not clear yet what other apps use libsagefright; and, while the Zimperium blog identifies the default messaging app and Google Hangouts, it is possible that other OTT messaging apps could also be vulnerable depending on how they were written.
These kind of vulnerabilities could also be used by commercial spyware, such as the Hacking Team, and nation-state actors who want to remotely install malicious software onto your phone. According to an analysis by TrendMicro, HackingTeam used a similar tactic through exploiting CVE-2014-3153 local privilege escalation vulnerability in Android devices.
In short, we are expecting to see a number of security flaws rise to the surface over the coming weeks. And while each threat needs to be appropriately addressed and evaluated, it’s important to remember that operators have dealt with situations like this in the past and, as with many threats, are equipped to deal with Stagefright should it become weaponised.
Many thanks to Ciaran Bradley and Cathal Mc Daid for their contribution.