Results 1 to 6 of 6

Thread: [Android] The Stagefright Vulnerability

  1. #1
    Banned

    Join Date
    Feb 2012
    Posts
    2,361
    Thanks
    166
    Thanked 1,205 Times in 607 Posts
    Rep Power
    0
    Reputation
    16611

    Default [Android] The Stagefright Vulnerability

    Joshua Drake, a top Android researcher who is part of Zimperium’s zLabs team, discovered a unicorn in the world of Android risks. Named 'Stagefright' it gets the title of 'Mother of all Android Vulnerabilities', as it impacts 95% of all Android devices out there and do not require any interaction with the victim. If you ever heard about the 'Heartbleed', this is much worse. It is the worst Android vulnerability in the mobile OS history.

    The warnings of Drake are more than hot air.

    Stagefright is the name of a special multimedia interface in Android operating systems, the affected device can be turned by attacker into a bug. He then has access to microphone and camera and can read the contents of the memory card. Stagefright since Android 2.3 is standard for Android.

    These issues in Stagefright code critically expose 95% of Android devices, an estimated 950 million devices. Drake’s research, presented at Black Hat USA on August 5, 2015 and DEF CON 23 on August 7, 2015 found multiple remote code execution vulnerabilities that can be exploited using various methods, the worst of which requires no user-interaction.

    Attackers only need your mobile number, then using it they can remotely execute code via a specially crafted media file delivered via MMS. A fully weaponized successful attack could even delete the message before you see it. You will only see the notification. These vulnerabilities are extremely dangerous because they do not require that the victim take any action to be exploited. Unlike spear-phishing, where the victim needs to open a PDF file or a link sent by the attacker, this vulnerability can be triggered while you sleep. Before you wake up, the attacker will remove any signs of the device being compromised and you will continue your day as usual – with a trojaned phone.

    Devices running Android versions prior to Jelly Bean (roughly 11% of devices) are at the worst risk due to inadequate exploit mitigations.

    Demo video:

    Drake already informed Google in April, 2015 and shortly thereafter also the developer of Firefox. Firefox uses under all systems except Linux also Stagefright the library. Furthermore Drake informed numerous manufacturers of Android devices, including BlackPhone. Google accepted patches provided by Drake within a few days and used them in the internally managed Android source code (AKA Stock Android). Patches are, however, ready even for Google's own devices for only a few days.

    Many devices will probably never get the patch. With most smartphone manufacturers, it is common that patches are provided for the operating system only a relatively short time, old models are no longer supported. The Stagefright gaps make even more painfully clear that lack of updates are the biggest problem when it comes to Android security.


    Probably this is 100% true:



Look Here ->
  • #2
    Senior Member

    Join Date
    Jan 2008
    Location
    Shenzhen China
    Age
    59
    Posts
    2,052
    Thanks
    925
    Thanked 1,087 Times in 637 Posts
    Rep Power
    519
    Reputation
    12660

    Default

    my MMS don't run until you open them, not that I ever seem to get them these days anyway

  • #3
    Premium Member
    ol' boy's Avatar
    Join Date
    Jan 2008
    Posts
    17,662
    Thanks
    8,131
    Thanked 10,460 Times in 5,194 Posts
    Rep Power
    4471
    Reputation
    184272

    Default

    Anything like this?
    If u want to go on an expedition get a Land Rover, if u want to come home from an expedition get a Landcruiser!

  • #4
    Banned

    Join Date
    Feb 2012
    Posts
    2,361
    Thanks
    166
    Thanked 1,205 Times in 607 Posts
    Rep Power
    0
    Reputation
    16611

    Default

    Quote Originally Posted by oceanboy View Post
    Anything like this?
    You posted it in the Mobile Phones forum. Because I don't have an Android based phone of course didn't read it.

    Not only phones are affected: but all devices which are running Android, so also tablets etc,pp.

    EDIT

    Google has rolled out last Wednesday a patched version of "lbStagefright". Thus all devices which are running Google's "Stock Android" now should be immunized against 'Stagefright' exploit as those are: Nexus 4, Nexus 5, Nexus 6, Nexus 7, Nexus 9 and Nexus 10 phones and tablets
    Last edited by jwoegerbauer; 08-08-15 at 09:36 PM.

  • #5
    Banned

    Join Date
    Feb 2012
    Posts
    2,361
    Thanks
    166
    Thanked 1,205 Times in 607 Posts
    Rep Power
    0
    Reputation
    16611

    Default

    Zimperium’s zLabs team, who dicovered 'Stagefright', have published an app that lets you check if your device is vulnerable to the 'Stagefright' bug. It's available on for free.


  • The Following 2 Users Say Thank You to jwoegerbauer For This Useful Post:

    JasonC (17-08-15),pandorf (17-08-15)

  • #6
    Senior Member

    Join Date
    Jan 2008
    Location
    Shenzhen China
    Age
    59
    Posts
    2,052
    Thanks
    925
    Thanked 1,087 Times in 637 Posts
    Rep Power
    519
    Reputation
    12660

    Default

    Just turn off the auto fetch mms in settings

  • The Following User Says Thank You to jok11n For This Useful Post:

    JasonC (17-08-15)

  • Bookmarks

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •