back to article Stagefright flaw still a nightmare: '850 million' Androids face hijack risk

Mobile security biz Zimperium reckons 600 to 850 million Android devices are still vulnerable to a Stagefright flaw that lets webpages and videos inject malware into phones and tablets. Stagefright is a software library buried deep within Android that processes multimedia files. It is used by a key Android component called …

Meh

Too risky to use Android browsing the web.

I restrict all my web browsing to my desktop computer; not only is the screen much larger and the mouse and keyboard more convenient, it is much more secure, fully patched and with extra safeguards such as NoScript and Adblock.

In view of all the half-assed Android patching, or no-patching, I certainly wouldn't use my smart phone for accessing online banking or anything else of a sensitive nature. I gather Google are pushing something called Android Pay too? No thanks. Android just doesn't seem like a safe/secure environment to me. I'll just continue using my smart phone for making calls, playing chess, listening to MP3's stored on the SD card, or reading (free) Kindle books. Web browsing on Android? No chance.

12
9
Anonymous Coward

Re: Too risky to use Android browsing the web.

and along comes Google Pay to spice things up a bit.

Come on Alphabet get your frigging act in order. Refuse to let the google pay app be installed on any version of android that is vunerable to these sorts of threats.

Perhaps this will make the device manufacturers get their act together with updates.

Until then, the only game in town for secure operation is Apple. At least they do issue patches/updates.

8
4
Silver badge

Re: Too risky to use Android browsing the web.

> with extra safeguards such as NoScript and Adblock.

All of which are available on android too.

1
0

Re: Too risky to use Android browsing the web.

@Adam 1, That as may be, but if the OS isn't properly patched, using the Android equivalents of NoScript and Adblock would be rather like having window locks on your property and security bolts on your front door but leaving the back door wide open. Extra security in one area doesn't compensate for a lack of security elsewhere.

2
2
Silver badge

Re: Too risky to use Android browsing the web.

NoScript IIRC ALSO safeguards media tags, making them click-to-play.

1
0
Coat

click-to-play won't protect against trojan smut!

But I'm guessing the unspoken elephant in the room is that some of us might be using our phones / tablets to surf for free tuggables. And there is a veritable Aladdin's cave of dodgy MP4s out there, and anyone who wants to get their thang on is not going to be shielded by a click-to-play protection. Because no play == no funsies.

Icon because, ahem.

0
1
Silver badge

Re: click-to-play won't protect against trojan smut!

Then as the comedian once said, "You can't fix Stupid." At some point, you just have to give up the hopeless idiot as a lost cause.

0
0

The update channel on Android is fatally flawed

There are too many parties involved, and too little incentive for the manufacturers that are dragging their feet to move faster. Older handsets (by which I mean anything not current gen) are neglected as a way of encouraging end users to upgrade to the latest and greatest.

I'll still never buy an Apple device though. Wonder if my Nokia 3310 still works. Actually, why do I even ask, of course it does.

11
0

Re: The update channel on Android is fatally flawed

I would put the carriers as the number one problem. If you go for a brand new phone you might get one update if you are lucky. Get a "free" phone and forget it. Even if there is a newer version of the software available from the manufacture then what is on the phone when you take it out of the box don't expect to ever get the update.

It's been like that forever, they treat phones the same as toasters. When I bought a moto Razor it came with ver 1.0 software that almost worked. There have been at least 3 upgrades released by moto, but zip from the phone company so I had to Debrand the phone so I could install factory software that was usable.

Why would a manufacture upgrade the software for a 2 year old phone if they know that no one will ever see it. I have a nexus 4 and might be looking at the next smallish nexus to come out after the 5x.

0
0

If you want Android get a Nexus

The god-awful state of Android security patching to me signals that you really should not consider any Android device but a Nexus. Or, I suppose, any manufacturer that sells unlocked devices (and therefore not dependent on carriers) and vows to roll out security patches quickly, and keep them coming for at least a couple of years.

This led me to just replace my 1st-gen Moto G with a Nexus (okay, this and the Google Fi fire-sale on the device.)

However, I don't know where this leaves the vast Android entry-level market. I don't know of a single entry-level phone at the moment where I would expect prompt and long-lasting patching.

Google really needs to fix this problem, or somebody else will come along who will.

1
1
Silver badge

Re: If you want Android get a Nexus

"Google really needs to fix this problem, or somebody else will come along who will."

Who? Not Mozilla. Not Canonical. Not Blackberry. Not Nokia. Not even Microsoft, although strange as it may seem they may be the only hope.

Would you buy a new phone with no app support?

The industry's crying out for a proper open source phone but the sadly I think the moment has passed. Maybe we need someone to emerge as the new RMS for the mobile first era.

2
0
Silver badge

Re: If you want Android get a Nexus

"Google really needs to fix this problem, or somebody else will come along who will."

Who? Not Mozilla. Not Canonical. Not Blackberry. Not Nokia. Not even Microsoft, although strange as it may seem they may be the only hope.

The miscreants will in a way. Once enough of them have been compromised and probably binned, the word will spread and Android will either need to be supported by the manufacturers or die.

0
0
Silver badge

850 million at risk

And 850 million people who haven't had a problem.

It may be "...yet" but it is likely one of the reasons people are resigned to whatever risk there actually is. And I doubt many of those 850 million could upgrade their Android version if they wanted to.

4
0
Silver badge

Re: 850 million at risk

Because they're all UNOFFICIAL upgrades, and Android apps are increasingly becoming root-aware and custom-aware, meaning upgrading now entails a serious tradeoff.

0
0

Hooray for Cyanogen mod

On the one hand, 97% of users will never consider using it, but on the other hand last week I updated my phone from stuck-on-4.4.2 to 6.0.1.

Which shows that it can be done, just that the manufacturer / network operators can't be bothered.

11
0
Silver badge

Re: Hooray for Cyanogen mod

I'm actually in the process of getting a suitable 2.hand android device just for running CyanogenMod. After considering various alternatives, it now looks like the least bad smartphone successor for my WP7 device (which otherwise works OK, but is getting more and more trouble with incompatible web pages).

1
0
Anonymous Coward

Screw you Samsung

My Samsung Galaxy Note Pro 12.2" (supposedly a "Pro" model) is still stuck on Android 4.4.x. Samsung haven't released updates in ages. So, Fuck You Samsung.

Time to buy an iPad Pro. At least that will receive updates for a few years.

1
1

Re: Screw you Samsung

Or a Nexus 9.

Just saying.

3
0
Anonymous Coward

Re: Screw you Samsung

Not a chance. This was my first and only experience with Android. Compared to iOS - even iOS 5 on my iPad 1 - Android is a steaming pile. Personally, it should be taken out the back and shot. Naturally, YMMV. ;)

2
0
Silver badge
Unhappy

Re: Screw you Samsung

My Galaxy S2 is still on 4.1.2. And that was an upgrade a few years back. It's unlikely to see an upgrade of Android ever again and I suspect the company won't upgrade the phone itself to a newer model unless it dies.

I predict some clumsiness on my part in the near future. Knowing my luck they have a drawer full of these antiques.

1
0
Silver badge
Linux

The fragmented Android marketplace :o

Why all the verbiage, just get straight to injecting the Android fragmentation fud .. instead of the more mundane .. Android vulnerability found and patched.

2
1
Anonymous Coward

Re: The fragmented Android marketplace :o

The Android fragmentation is the real issue that's why. So Google patched it. Good for them. Not a lot of use to the users of the devices if the patch can't be applied.

3
0
Silver badge

Play installs firmware?

"Nexus devices are the exception: they can install Google's firmware updates via the Play services"

Er, no. Not for my new Nexus 6P at least. It installs OS updates through the same OTA mechanism as any other Android phone. The difference between my 6P and anything else is that this comes from Google and not my carrier or device manufacturer.

You might be confusing it with the fact that Play now updates essential libraries and other large chunks of the OS as well as applications.

Device manufacturers are just as shit as carriers. My old Moto G got ONE OTA update (to a buggy version of Lollipop) the entire 2 years I had it.

I bought it because I thought Motorola was working with Google to provide updates and security. I was wrong. (EDIT: I also bought it because it was made in Ft Worth, Texas, and then Motorola closed that and moved the jobs overseas)

This is why I passed up the Moto X Pure Edition for the twice-as-expensive 6P.

0
0
Pint

Re: Play installs firmware?

Seems like they need to break Android into 3 pieces: Device Drivers, OS, and Overlays. The device drivers are provided by the manufacturer for their specific hardware, and seldom if ever change. If they need to they can be updated OTA. The OS comes from Google, and is updated OTA. The Overlays come from the carrier, and are routed to dev/null.

And there was rejoicing all around.

3
0
Silver badge

Re: Play installs firmware?

Overlays have been around since Lollipop, but they're only now getting carrier and manufacturer attention.

As for separating the drivers and the rest of the OS, Android N should be a start to this if Google's word is accurate. Drivers can get tricky since they're usually tied to the kernel (due to the architecture; hardware on ARM is usually static rather than dynamic like it is on x86), and if the kernel itself has a problem, this can create a cascade effect.

And then there's the matter of the manufacturers working in cartel to keep a captive market. Especially now with Android apps increasingly root- and custom-aware.

And as for choosing Nexus, the main reasons I don't like them are lack of a removable battery (probably the least graceful part of the device to age) and lack of an SD slot.

2
0

Exploiting this vulnerability is not trivial, as suggested

Taking advantage of this flaw was supposed to be difficult, with ASLR making it very difficult to deliver a viable payload. However, ASLR was added with 5.0, so is NBG with older devices (and "old" isn't referring to ancient). Any anyway, this is no longer the case since North-bit demonstrated a proof of concept:

http://blog.frankleonhardt.com/2016/android-stagefright-bug-gets-serious/

0
0
Silver badge

What is the point of this article, other than as advertising?

It's stating the obvious. It hasn't changed. It's not going to change without legislation.

Let's do something useful on mobile phone review scoring out of 10. Take the overall score.

No commitment for at least three years of patching and Android upgrades (if the phone hardware can handle it) : cost in £100s/divided by £100 multiplied by minus two (£100=-2, £400=-8)

No unlockable bootloader and rooting capability : -11

No commitment to provide drivers/developer documentation so third party ROMs can be created for the latest released Android version (after a reasonable timescale) : -11

Manufacturer has form of lying about upgrades that are perfectly possible, technically : -4

No removable battery : -3

Note that doesn't mean they're obliged to enable upgrades to later versions for third parties - provided the latest supported version of Android for that phone can be patched, they get a pass.

If the score is below zero, the entire review is 'This phone got a score below zero. Only idiots buy phones with a score below zero. Are you an idiot?'

Of course the current situation, and the 'your non removable battery no longer holds a charge, better buy a new phone' attitude, keeps people on a two year phone upgrade treadmill.

Google (Nexus) do not get a pass on this one - they only patch phones up to about three years old.

Note that the Blackberry Priv, which Blackberry said would have news about a Marshmallow update 'in 1Q 2016' have seven days left to tell its users when an upgrade will be arriving..

Don't trust any mobile phone companies, don't buy an Android phone that can't be unlocked and rooted, and have Cyanongenmod applied to it. Going to update my 2012 phone to Marshmallow tonight, as it now has an SELinux enabled build, with official Cyanongenmod nightlies not far off. Without that I'd be stuck on insecure ICS.

1
0
Silver badge

Re: What is the point of this article, other than as advertising?

"Don't trust any mobile phone companies, don't buy an Android phone that can't be unlocked and rooted, and have Cyanongenmod applied to it. Going to update my 2012 phone to Marshmallow tonight, as it now has an SELinux enabled build, with official Cyanongenmod nightlies not far off. Without that I'd be stuck on insecure ICS."

And what about the increasing number of apps that don't like running in a rooted or custom ROM environment?

0
0

Re: What is the point of this

"And what about the increasing number of apps that don't like running in a rooted or custom ROM environment?"

Personally I haven't encountered any problems like this with apps; then again I'm not a great app aficionado - I particularly hate websites that nag you to install their app (TripAdvisor is a personal peeve).

0
0
Anonymous Coward

850 million reasons to buy a fruity phone

1
1
Anonymous Coward

ORLY? Let's face it. BOTH iOS and Android have big fat targets on their back. So does Windows, and not even MacOS and Linux are safe. All you can do at this point is live with it. After all, you may just get shot through your bedroom window by a ballistic bullet fired by a drunk shooter several miles away. Pick your poison.

0
2
Silver badge

Custom ROMs

Not for everybody, but some might consider running AOSP or Cyanogenmod. Of course Google Pay and some other apps may not run, as has been mentioned.

It looks like it's the only way I'm going to get Marshmallow on my S4. Still running 5.0.1. Feh.

0
0

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Forums

Biting the hand that feeds IT © 1998–2018