Tag Archives: Stagefright

Android Security Is Improving – But Not As Good As iPhone

The Android community is slowly beginning to understand that they are going to have to step up to the plate and deal with security like Apple has done from the beginning.  The challenge is that unlike Apple, where there is one master in control, the Android community is fractured.  The only one who has any hope of pulling off a solution is Google.  They have the size (money) and the motivation to fix the problem.

Two examples popped up today.

First, Google has stepped up and is issuing monthly security updates – like Microsoft has done for a long time.  Some vendors, such as Oracle, choose to announce patches quarterly.  The advantage of that is that you only have to make 4 updates a year.  The disadvantage is that the patch releases are monstrous – with hundreds of patches  in each one – so many companies just ignore them.  Typically, Microsoft’s monthly patch release is in the low teens for number of patches and often those are bundled so users have to deal with less details.  Also, the bugs are fixed sooner with monthly releases.  I vote for monthly.

In this month’s Google patch release, there are two patches which can be exploited remotely with specially crafted media files (Argh!, again) – this is a continuing effort to clean up the fright fest which is Android’s media handling (called Stagefright – you may remember that there were two earlier patches to fix problems in Stagefright.  This is number 3.  Expect more – they are announcing them as they fix them).  There are also 3 other patches in this month’s collection.

Owner’s of Google Nexus phones will get these patches quickly.  Owners of phones from other manufacturers will need to wait until the manufacturers decide to release the patches.

I am an Android user and am seriously considering making a Nexus phone my next phone since Google seems to have gotten the security message.

The other article is about Android Bloatware or Crapware.  Those are the terms for all of the garbage that phone manufacturers think that you want and they need to add to differentiate their phones from their competitors.  In most cases, they are so sure that you want this garbage that they do not give you a way to remove it.  In fact, in many cases, they are being paid by the manufacturers of the software to install it on your phone, which is why they do not let you remove it.  This is another advantage that Apple has.  They control the phones.  Since there is no competition, they control the price and don’t have to install Crapware to subsidize the price of the phone.  This is one reason why Apple phones are more expensive than Android phones.

Google has a research team that hunts for bugs.  Besides hunting for bugs in Windows, Mac OSx and Linux, they are now looking inside Android phones.  This month, they announced, they found 11 bugs inside the Samsung Galaxy S6 Edge Crapware.  These bugs likely won’t be on a Galaxy S5 or on a LG phone as the crapware, for the most part is tailored to the phone.  Who did Samsung make a deal with for this particular phone.

The biggest risk is in software drivers – that software that talks to the hardware and has the most permissions.  That is where these bugs, for the most part, were found.

The good news is that Samsung has fixed these.  The bad news is that there are hundreds of phones and Google’s researchers do not the resources to review that many phones.

The manufacturers – like Samsung – need to realize that this is an impediment to sales and deal with it.

One more point.  The patches that Google released ONLY patch Lollipop (5.x) and Marshmallow (6.x).  Almost no one is running 6.x – it is brand new – and less than 15% are running 5.x according to a statistic that I just found.  Almost 75% of the Android users are running 4.x and the patches just released DO NOT protect those users.

In their defense, Apple does the same thing.  They patch the current release and one release back typically.

For Android users, they need to understand that if they are saving money by not upgrading their phones, they are at greater risk for being attacked because these old phones are not being patched.

As Google ramps up their security efforts and releases more patches, they are giving the hackers a road map for how to attack these old phones, making them more vulnerable every month.

Just food for thought.

Information for this post came from two articles in Network World – here and here.

Android Stagefright Rears Its Ugly Head Again

You probably are well aware, at least if you are tuned in to the Android world, of the family of bugs called Stagefright.  Well now there is Stagefright 2.0 and this will be an opportunity for Google and the carriers to prove to us whether they can deal with ongoing security patches or not – something Apple’s iPhone has well in hand, giving Apple the competitive advantage.

As a reminder, Stagefright 1.0 dealt with a series of 6 or 7 bugs related to how Android preprocessed video – in that case, with video text messages called multimedia messages or MMS.

The scary part is that Stagefright, the name of the video subsystem in Android that does this video processing, by default runs in the background so that you can be infected without actually doing anything – no clicks, no downloads, no interaction at all.  You can turn that background preprocessing off but I doubt very many people actually did that.

All a hacker needs to infect you is your phone number.

The patch process was slightly ugly from Google, but mostly ugly from the carriers.  The challenge for the carriers is (a) they don’t get revenue from patches, (b) they still are fooling themselves that they are NOT in the software business and (c) they really are not set up to deal with this.  The consequences are that some people will ditch their Android phone and rent a phone, absent a 2 year contract, from Apple.  That has to keep the carriers’ executives up at night.

So now we move on to Stagefright 2.0.  Zimperium, the firm that discovered the original bugs, has found more Stagefright bugs. This time it affects MP3 and MP4 files.  Google JUST released patches for these bugs to Nexus phone users.  It is now up to the carriers to release these patches to you and me.

In addition, Zimperium has said they are working with Google on another handful of bugs, so this is certainly not the last patch to expect in the near future.

There is a Stagefright Detector app in the Google Play store.  There actually two;  I would recommend the one from Zimperium.  It is free and does not require any special privileges.   They don’t want to steal your address book or copy your email or anything like that!  What is a bit unnerving is that you don’t have to interact with the app for it to play the hack scenario and see if you are vulnerable.  The Zimperium app tests for each bug individually, so you might see 6 green and 2 red or 7 red and 1 green or whatever the situation is.

If you begin to see red (pun intented), then you need to beat up your carrier – they control the patches.  This is an opportunity for the carriers to get the patch act together.  We will see if they do.

Will the fun never end?


Information for this post can from Android Central and SC Magazine.

Stagefright – The Heartbleed For Android


Stagefright is an Android subsystem that processes video in your phone.  Stagefright has been around since Android 2.2.  That means that the potential to affect around 950 million Android phones exist.

The bugs (there are several of them) that researchers have discovered are really nasty because at least one of them does not even require a user to do anything to infect a phone and all the attacker needs to know is your phone number.  An attack could be constructed where the attacker sends you a multi-media message, which infects the phone and then deletes the message before you even see it.

The researcher will be presenting his findings next week at Blackhat.  Even if he does not lay out a set of “connect the dots” level of instructions, it won’t take but a few days for the hackers to figure things out.  Remember, the code is open source.  That is good news/bad news.  Other hackers can look at the code too and try to figure out the same thing that this researcher did.  Someone will be successful and publish it underground.

Before everyone gasps, newer phones (jellybean 4.1 and later) are LESS susceptible to Stagefright due to other compensating controls that Google as added in newer versions of the Android OS, but that still leaves several hundred million phones that are completely vulnerable and many will never be patched.  And that does not mean that newer phones are completely off the hook – it is just harder.

And, it depends on the particular apps on the phone.  On one version of Messenger, on a Galaxy Nexus, you had to open the message for the exploit to trigger.

So far, Google has released patches to SEVEN vulnerabilities reported to them and they did that in a couple of days.

For all phones, if the exploit is triggered, the hackers will have access to your pictures and videos as well as the phone’s microphone and camera.

Worse yet, some phones such as the Samsung S4 and LG Optimus Elite, run the exploitable process with system level privileges, meaning that if one of those phones is attacked, the hacker has full run of the phone.  You don’t want to hear my thoughts on that decision.

Now on to an old rant.  Even though Google has released the patch, they release it to the phone manufacturers.  The phone manufacturers need to test it to make sure that the patches don’t break any of their valuable bloatware (as one article put it somewhat inelegantly).  Depending on the manufacturer, that could take days or weeks.

Next the phone manufacturer needs to release it to the carrier.  The carrier needs to test it with their bloatware. That usually takes months.

Assuming the phone is still supported at all.


Google really needs to put it’s foot down here and force everyone to deal with this reality going forward.  I am not counting on that, however.

Hopefully, with all of the press this is receiving, the carriers will be worried about getting sued for not timely closing vulnerabilities that were well known and for which there were patches readily available.  We will see.


Information for this post came from Dark Reading and Forbes.