back to article It's BACK – Stagefright 2.0: Zillions of Android gadgets can be hijacked by MP3s, movie files

More than a billion Android phones, tablets and other gadgets can be hijacked by merely previewing MP3 music or MP4 video files. Booby-trapped songs and vids downloaded from the web or emails can potentially compromise vulnerable devices, and install spyware, password-stealing malware, and so on. This is all thanks to two …

  1. ZSn

    Microsoft phones

    This is where apple and evrn Microsoft actually win over android. Even my elderly windows 520 is supported but a 2012 edition nexus tablet isn't.

    1. Anonymous Coward
      Anonymous Coward

      Re: Microsoft phones

      Yes Android = good idea, rubbish implementation. The licence should have forbidden any tailoring of the operating system by manufacturers and distributors to add their own features. Then everyone would have the same vanilla version and a patch to the codebase would actually make a jot of difference to the majority of users.

      1. Anonymous Coward
        Anonymous Coward

        Re: Microsoft phones

        Except at the time the carriers pushed back and basically gave an ultimatum, "You let us lock our stuff in or your phones don't go in our stores. Deal or No Deal?" That meant Google couldn't pull an Apple (who could only do what they did due to their unique sirenesque appeal) as the carriers were willing to walk away and leave Android dead in the water. Know any other way to break into phone market in the late oughties?

        1. Anonymous Coward
          Anonymous Coward

          Re: Microsoft phones

          As you say, Apple did exactly this - no carrier modifications. I cannot know whether Google even talked about this or considered it in their negotiations.

          What other options were there for the carriers in 2008? My guess is that without Android we would all have Windows phones which would probably be a better place than we are in now.

          I do not know if they have locked-in carrier modifications despite their lack of consumer appeal?

          1. sisk

            Re: Microsoft phones

            My guess is that without Android we would all have Windows phones which would probably be a better place than we are in now.

            Have you not seen the cluster that is Windows phone? The only reason it's not rampant with viruses is because no one uses it. No sir, the handful of malware that can infect droids is better than what we'd have if Microsoft had Android's market share by far.

            1. Vector

              Re: Microsoft phones

              "the handful of malware that can infect droids is better than what we'd have if Microsoft had Android's market share"

              Not sure if that's true. Not that I'm any fan of WinPhone but Microsoft certainly improved their security stance in Windows after going through the wringer time and again. Is it perfect? No. But it's far more responsive than it once was.

              This is a lesson Google should have learned and after the first Stagefright debacle, the first and primary feature of Marshmallow should have been a cohesive update system, even if that meant delaying its release. Simply put, this is that important! My phone (LG G3) still hasn't seen a patch for SFv1. That's not critical since I can turn off MMS and ignore anything from unknown senders (which I tend to do anyway, now I just have a better excuse). This new exploit is critical since everyone wants to throw videos on their webpages.

              Much as I've been a fan of Android, this could be a market killer for it.

              1. Anonymous Coward
                Anonymous Coward

                Re: Microsoft phones

                That's odd, my unlocked from Ebuyer LG G3 was update a couple of weeks ago. Now passes all six of Zimperiums tests.

              2. This post has been deleted by its author

            2. nijam Silver badge

              Re: Microsoft phones

              I have a Windows phone and even I scarcely use it!

              Roll on the day when people stop getting subsidised phones from their carrier and can choose sensible phones for themselves.

        2. Anonymous Coward
          Anonymous Coward

          Re: Except at the time the carriers pushed back and basically gave an ultimatum

          Are you just making stuff up or do you have any links or information to back up this story?

      2. Vic

        Re: Microsoft phones

        The licence should have forbidden any tailoring of the operating system by manufacturers and distributors to add their own features

        Not necessary.

        All that is actually required is for all the vendor-supplied mods to go into a separate partition - perhaps mounted on /opt. The core stuff would be pretty much common between all machines of a given architecture, so easily updated without needing the vendor to do much of anything.

        Vic.

    2. Anonymous Coward
      Anonymous Coward

      Re: Microsoft phones

      2012 Nexus 7 running Android 5.1.1

      How is that unsupported?

      1. ZSn

        MRI is NMR

        It stopped being supported a few weeks ago just as stage fright struck. Look at the version code vs the latest and greatest. You do know that there are various versions of 5.1.1, not all up to date?

        1. ratfox

          Carrier pushback

          Carriers certainly have a history of putting conditions for selling Android phones. E.g Verizon Galaxy Nexus phones were the only ones not to have the Google Wallet feature, because Verizon was trying to push its own payment solution.

          It's hard to believe now, but at some point in the past Android was an underdog, and Google had to convince carriers to sell Android phones.

        2. Anonymous Coward
          Anonymous Coward

          Re: MRI is NMR

          Care tp back that up? I would be keen to know how/why Google is or would maintain various versions of the same version of the OS. II can see there being build variations within Google, but that is not the same as two versions of 5.1.1, or 4.4.2, or any other number you care to pull out of the air. OEMs who maintain their own unique flavour of Android don't count, because we're talking about a nexus device and the Google version would be the default.

      2. Planty Bronze badge

        Re: Microsoft phones

        Sony Xperia Z3, running Android 5.1.1 with both stagefright patches to date. Same patch level as a Google Nexus. How is that unsupported???

        Pretty sure this one will also be patched in a timely manner.

        Not that stagefright is anywhere near as bad as everyone with a vested interest is making out. Not a single real world occurance of any stagefright issue to date (after 8 weeks), which to me means 1 of 2 things

        1. Overplayed by the press

        2. ASLR is doing its job

        Windows is the toxic hellstew, even apple are having problems. To date I have NEVER seen a single android device with malware, yet in the Windows world its rare to find a machine not infestated.

    3. Robert Helpmann??
      Childcatcher

      Re: Microsoft phones

      This is where apple and evrn Microsoft actually win over android.

      Windows Phone, maybe, but this kind of attack (relying on an app's preview function to execute code) has been exploited in Outlook. Best practice there is to turn preview off. I would think a similar approach for Stagefright would help to mitigate the flaw.

  2. heyrick Silver badge

    Mmm...

    Following the most recent set of vulns, Samsung pushed out a large update to my Galaxy S5 Mini. There was no information about the update and contacting customer support said they were unable to tell me the contents of the update.

    Useful. Until evidence to the contrary, I can be assume that my phone is unpatched.

    1. Indolent Wretch

      Re: Mmm...

      Got the update pushed automatically to my 2 year old Asus device last week.

      Was labelled as a patch for Stagefright.

    2. Argh

      Re: Mmm...

      There are apps to check to see if you're vulnerable.

      Samsung have pushed out fixes for the original Stagefright issue to stock (non-carrier branded) devices, but I haven't had an update for a long time on my EE S5 and it's definitely vulnerable.

      I'm not sure about the stock S5 Mini.

    3. sysconfig

      Only for recent phones...

      As the article rightly says, Jelly Beans or older phones in general (3 years or so?) will probably see no updates whatsoever. In case of Samsung, their response to my inquiry as to whether updates/patches will be provided for my S3 in light of the original Stagefright was: nope sorry, got to buy a more recent phone. So I did... but it sure wasn't a Samsung this time around.

      It's just another carrier scam to force you into 2 year rip-off contracts as opposed to purchasing an unlocked phone and do whatever the hell you want with it.

      If I ever find the time and inclination to do so, I'll give CyanogenMod a spin on the S3.

      1. The Jester

        Re: Only for recent phones...

        My advice for Cyanogen on the S3 - don't. I've tried various different ROMs and the most stable one I've found is Archidroid, and even that has severe lag and FC issues at random.

        Edit: Just five minutes after posting this comment, the gods of Cyanogen smite me with a random reboot, the third this week...

        1. sysconfig

          @Jester - Re: Only for recent phones...

          Thanks for the warning! Off to /dev/null with the S3 then...

          1. dotdavid

            Re: @Jester - Only for recent phones...

            The stable release of CyanogenMod 11 (KitKat) is fine on my S3. Make sure you wipe data/cache before applying as that can cause a load of weird issues.

            CM12+ (Lollipop) is much more unstable from what I've seen.

        2. sisk

          Re: Only for recent phones...

          My advice for Cyanogen on the S3 - don't. I've tried various different ROMs and the most stable one I've found is Archidroid, and even that has severe lag and FC issues at random.

          Edit: Just five minutes after posting this comment, the gods of Cyanogen smite me with a random reboot, the third this week...

          I'll second that. On my S3 Cyanogen silently reboots so often that the space being taken up by reboot logs has become a serious issue. I have to go in and purge them every couple weeks or I start having lack-of-free-space related issues from the gigabytes they occupy. Cyanogen used to be a good custom ROM. Not so much these days.

          1. dotdavid

            Re: Only for recent phones...

            Don't blame Cyanogen, blame Samsung. The former i9300 device maintainer wrote a series of Google+ posts explaining why; TLDR Samsung don't release the code and have rubbish dev relations with the open source community. It's why I'll never buy another Samsung phone.

  3. Your alien overlord - fear me

    AOSP (Kitkat/Lollipop) haven't been updated for quite a few weeks now (Lolli is still r18). You sure Google is giving them to AOSP users or is this old news?

    1. Anonymous Coward
      Anonymous Coward

      "Lolli is still r18"

      That's a description either copied from a channel that isn't broadcasting any more or that 'i' should be a 'y'.

      Possibly or so I've heard, not that I would know about such things, apparently, from what I have been told. By a friend. Who knew someone who had read about it.

      Or I am deafened by the whoosh, in addition to already having gone blind...

  4. caffeine addict

    Isn't the simple answer to the problem (in the future) to restrict carriers to modifying launchers and (if they insist) their protected apps, but to leave the core Android stock if it wants to be called Android?

    1. Anonymous Coward
      Anonymous Coward

      And then the carriers respond with, "Fork it!"?

      1. Anonymous Coward
        Anonymous Coward

        And then Google responds with "Go ahead, but good luck without the Play Store!"

  5. MacGyver

    This is wonderful!

    Maybe now someone can use it to root my Samsung without tripping the Knox fuse. </sarcasm>

  6. thtechnologist

    Just got a Note 5 that is probably going up for sale after MS thingy on the 6th. If the phones are even half decent I'm jumping. This is simply ridiculous at this point.

  7. Frumious Bandersnatch
    Windows

    RMS not looking so nutty now

    Let's face it, Android is not a proper open system. All the actors including hardware chip, SoC, sensor and radio part vendors, phone/tablet manufacturers to Google itself along with software vendors and carriers have direct interests vested keeping their parts of the platform protected from everyone else in the industry. By extension, that means that users are basically in thrall to various companies and cabals. With everyone fighting to protect their own "intellectual property" and business models, it's no wonder that the whole ecosystem produces a product that is basically insecure by design.

    By way of contrast, I've been a Debian user for a long time. One of the things I like most about it is that I can be running older versions of it and any major security updates still get back-ported. There's a clear understanding that users rely on the platform for stability and security. Keeping up to date with security is usually a trivial matter. Barring a few non-free components, I'm not beholden to hardware manufacturers or the people who sold me the system to fix defects or being stuck with Hobson's choice of either living with can't fix/won't fix problems or going through a painful migration to the next iteration of the platform. (Or worse: having to replace my hardware because there is no software upgrade path).

    I like Android for the semblance of openness it has, but really the whole thing is rotten to the core.

    1. Gene Cash Silver badge

      Re: RMS not looking so nutty now

      Yup, I've been a Debian user for ages too, but now I'm taking it in the butt from systemd telling me I can't automount my camera, breaking support for my ancient Epson scanner and other things, so I'm moving on.

      Heck, recently I wanted a cell-enabled Android tablet that was not carrier-locked, to use as a big-screen GPS among other tasks.

      Apparently there is no such beast that isn't some one-off Chinese fly-by-night job, so I bought my first Apple product after being an Android user since Eclair.

      It was almost impossible to discover particulars about various Android devices.

  8. tony2heads

    ChompSMS

    claims to work around it

    1. dotdavid

      Re: ChompSMS

      They, like Google's Messenger SMS app, merely prevent video/MMS autoplay to prevent exploitation. It works but isn't ideal.

  9. Barry Rueger

    Can they fix Android?

    I'm repeating myself, but it will require some very large lawsuits to force Google, manufacturers, and carriers to fix this mess.

    Each of those should be terrified to think that their customers are doing banking, stock trades, business email, and other sensitive business using devices that likely will never see security updates.

    It's just a matter of time before something large and expensive uses an unpatched exploit to hammer hundreds of thousands of users on a scale that cant be ignored.

    1. Anonymous Coward
      Anonymous Coward

      Re: Can they fix Android?

      Apple, I'm afraid, will fix the situation.

    2. Anonymous Coward
      Anonymous Coward

      Re: Can they fix Android?

      Have you checked out all the EULAs you agreed to on your Android phone? I know every time I get a new iOS version on my iPhone it is a ridiculously long - I just click Agree without even bothering to read it. I'm sure if they added something draconian El Reg the Apple haters will be on top of it in no time :)

      I'll bet Google and Samsung et al have indemnified themselves against any consequences, and you've given up the right to sue. You'd have to agree to binding arbitration....good luck getting more than a $5 credit at the Play Store or a $50 discount on your next Android phone from the OEM!

    3. SImon Hobson Bronze badge

      Re: Can they fix Android?

      @ Barry Rueger

      > it will require some very large lawsuits to force Google, manufacturers, and carriers to fix this mess

      Not necessarily ...

      @ DougS

      > Have you checked out all the EULAs you agreed to on your Android phone? ...

      > I'll bet Google and Samsung et al have indemnified themselves against any consequences, and you've given up the right to sue.

      Well this is where those of us in teh UK have an advantage - we have the Unfair Terms in Consumer Contract Regulations which basically blow many of the restrictions in an EULA out of the water. ANY contract term that seeks to remove a consumer's legal rights is automatically void - and so can be ignored.

      Then we have the Sales of Goods and Services Act (which IIRC is superseded by something with a harder to remember name - but which gives the same protections) which lays down other requirements - specifically an implied contract term that the good will be "as described" and "fit for purpose" and "reasonably durable".

      If you have a phone with this bug then it's very clear that it was a "manufacturing defect" - should be no problem showing that it was present when bought. And if the phone is not capable of receiving messages without getting "damaged" then it's clearly not fit for purpose.

      Thus what we need to is for a large number of people to go back to whoever sold them the phone and demand it be "repaired" (or replaced, or refunded). The retailer is legally liable, this isn't something they can wriggle out of with disclaimers - they are responsible for fixing the problem, or replacing the faulty goods, or refunding the purchase price (less, if as is likely it's not nearly new, an allowance for the use that's been had from it).

      If enough people push this, then the big sellers will push back at the manufacturers. The carriers and the Carphone Warehouse type operations have enough clout to make the manufacturers think again.

      And the only time limit is the general statute of limitations for civil cases which is 6 years in England and Wales, 5 years in Scotland IIRC.

      So no "big legal fights", just a "death of a thousand complaints". And this applies (by EU directive) to every country in Europe in some form or other.

      Just think if (say) 10% of European users with unpatched phones did this :-)

    4. Anonymous Coward
      Anonymous Coward

      Re: Can they fix Android?

      The fix is easy. Stop believing everything you read on the Internet.

      Buy RIGHT android device at its patched promptly, just like apple devices, just like nexus devices.

      I have a Sony Xperia and its patches are bang upto date.

      Security companies are snakeoil vendors, uplaying the significance of problems in the hope you will buy their product (we don't buy from companies that opt for this marketing strategy, as it shows deep dishonesty within their company).

      How many Android devices have you seen affected by stagefright or any other malware?? It's an easy question to ask, and east to answer. However it seems many here aren't smart enough to see it.

      1. paulc

        Re: Can they fix Android?

        I have a Sony Xperia and its patches are bang upto date.

        Oh really?

        build date for the most recent kernel on mine is Sun May 11 2014... and when I check for system updates, it says there are non...

        1. Anonymous Coward
          Anonymous Coward

          Re: Can they fix Android?

          You know this isn't a kernel bug right??? It's an android library bug.

          Seems you are just another on of the endless bedroom experts here that actually knows alot less than you think you do.

  10. xj650t
    Mushroom

    As a Galaxy Note 2 owner

    I know there's no update coming down the line from Samsung.

    Are Android phones the new Adobe Flash?

    1. Anonymous Coward
      Anonymous Coward

      Re: As a Galaxy Note 2 owner

      >Are Android phones the new Adobe Flash?

      No, you get fixes for Flash bugs.

  11. Federal

    The fix is obvious and elegant

    Include a stagefright exploit in the daily Google Doodle. Patched phones would be unaffected but other phones will be pwned and accessed at root level, without the need for carrier intervention or jailbreaking/rooting the phone. The exploit will check all potentially vulnerable files. When any such file is found, the exploit will download and install a patched replacement, then reboot the phone.

    Everyone goes to Google's home page once in a while, so there would be universal implementation of the patches.

    :-)

    1. sisk

      Re: The fix is obvious and elegant

      Brilliant idea, but I could see this causing some issues with custom (and vendor modified) ROMs if it replaces a customized file with a stock one. Still it's probably the most workable solution to patching vulnerabilities in an ecosystem as fractured as Android as I've seen.

    2. phil dude
      Thumb Up

      Re: The fix is obvious and elegant

      @Federal: Silly, but practical.

      I like it ;-)

      P.

    3. Adam 1

      Re: The fix is obvious and elegant

      Reminds me of Welchia

    4. SImon Hobson Bronze badge

      Re: The fix is obvious and elegant

      > Include a stagefright exploit in the daily Google Doodle

      One teensy little problem there - it would be criminal (not just "not lawful", but explicitly prohibited) in quite a few countries (Computer Misuse Act in the UK). I know this is Google who seem to have a different idea of what should be legal, but I think even they'd find this hard to defend.

      > Everyone goes to Google's home page once in a while

      Err, I don't !

      OK, I tell a lie - I've been there a couple of times this year when I've been told there's an interesting doodle.

      Put the exploit on every page and that's a different matter.

  12. Richard Taylor 2
    Joke

    Don't worry commentards

    I'm sure it is worse on Apple devices, don't consider the day ruined yet

  13. Bota

    So it's a choice of..

    Apple - nsa inside walled garden

    Google - nsa inside, can root and do some fun stuff but open like Paris Hilton

    Windows - nsa inside and likely no issues

    Or jolla phone - maybe the safest bet?

    1. Fitz_

      Re: So it's a choice of..

      Apple are the ones being threatened with fines for not allowing back doors into iPhones and messages. The lack of other companies receiving this attention should be cause for concern.

      /justsaying

  14. tentimes

    OTA updates DIRECT from Google to Branded phones

    I see the big problem here being the delay between Google making a patch and Manufacturers/Operators incorporating that into their patch. If the Google could just patch straight away and al devices were updated at the same speed as Nexus devices then this would go a long way to helping mitigate the problem. As it is, manufacturer patches are MONTHS behind urgent Google patches.

    Now, I don't know how hard this is to do (even though I am currently learning Android and have written a couple of basic apps - doh!) but it simply has to be done. The firmware has to be compartmentalised such that a pure Google path can be done on every phone (and is done in cases like this).

    This kind of security flaw really erodes faith and trust in the platform and we cannot go on like this.

    1. paulc

      Re: OTA updates DIRECT from Google to Branded phones

      the OS needs splitting into core (which automatically gets updates from Google) and manufacturer overlay

  15. Anonymous Coward
    Anonymous Coward

    HTC 620 Already patched..

    According to the linked vuln. scanner I'm already patched even for this new one. The update came OTA last week.

    1. DanboMB

      Re: HTC 620 Already patched..

      You're not. What *every* article about this fails to mention is that the checker isn't checking for these vuls yet...

      https://blog.zimperium.com/zimperium-zlabs-is-raising-the-volume-new-vulnerability-processing-mp3mp4-media/

      "At this point, we do not plan to share a proof-of-concept exploit for this new vulnerability with the general public. Once a patch is available, we will update our Stagefright Detector app to detect this vulnerability."

  16. Anonymous Coward
    Anonymous Coward

    Really???

    In the real world:

    Apple store chock full of infested apps.

    Consumers with Windows, most of them riddled with malware

    Android, hmm, lots of chatter, but nothing actually real..

    Go figure...

    Ever get the feeling you've been cheated????

  17. Jos V

    Wealthy?

    "People owning the 20 per cent of devices running Lollipop or later are probably wealthier than others, and therefore more attractive targets."

    Not entirely sure how any of the miscreants would deduce I'm wealthy, just because I have a $120 MotoG, that got upgraded to 5.1 a week or so ago.

    Leaving this aside, CVE-2015-3876, and CVE-2015-6602 are not checked for in the stagefright detector app (thanks for the link). Are different bug reports assigned to the new threat?

  18. Unicornpiss
    Meh

    It doesn't matter what device you own..

    As complexity increases, we're going to see more and more of this on all platforms. The only reason Windows phone users are mostly unaffected is because there are so few out there that malware writers are targeting more popular platforms. (Ironic if you think of all the malware that affects Windows)

    I'm not sure what the solution is, but you can only add so much security to a device and platform before the usability is affected beyond any gain in security. I think the efforts to not be pwned have to come from the OS devs, the service providers, the app store overseers, and also the public has to be smart enough not to click on everything that comes their way. (of course there are idiots that will sleep with anyone and not use condoms either)

    With millions of lines of code even in fairly simple games these days, much less an operating system, it's currently impossible to anticipate every crack that someone will find a way to stick their foot in.

  19. Anonymous Coward
    Anonymous Coward

    Google is responsible

    @ratfox, agree that Google at one point had to make concessions in order to get Android adopted. That time has passed. I would think if it chose to, Google could fix this in the next MAJOR release: Encapsulate the code that hardware vendors and mobile carriers have access to. Then Google can patch the core OS via the Play store, and vendors can continue doing OTA patches for just their subsystems as they need to. This would be a huge effort, and a headache for vendors initially.

    OTOH, not having a proper way to promptly patch security flaws is evil.

    1. Anonymous Coward
      Anonymous Coward

      Re: Google is responsible

      True, but it's also the norm for the phone makers. Why patch something when you just declare it obsolete and tell everyone, "Time for a new phone!" But Android as it's built now can't separate the two, and it's too late to fix Marshmallow, so it'll have to wait for Android N (Nougat? Nut Bar? Necco?), and given this would be almost a top-down teardown, it'll take a while.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like