'Stagefright' vulnerability compromises Android phones with 1 text message, may affect 950M devices

123468

Comments

  • Reply 101 of 157
    mnbob1mnbob1 Posts: 269member

    Many complain about Apple's closed system but it is there to protect against this kind of attack as well as keeping your data from being compromised between apps and to malicious websites.

    The real genius was to get ATT to completely fall in line, in return for which, Steve gave them the promised exclusivity (even in the face of considerable commentary that said Apple should move to other carriers quicker). Rumors then also had it that Verizon wanted carrier control, but Steve told them to take a hike.

    Once ATT was in the bag, the rest had no choice but to follow.

    Remember that the iPhone was a completely different device at the time. Apple was confident of its success (or at least hopeful).

    AT&T was willing to take the risk in exchange for an exclusive 2 year deal. Jobs negotiated that AT&T could not add any carrier software to the iPhone which was unheard of at that time since it brought money for the carrier. Apple subsidized AT&T for each iPhone. The iPhone was more successful than Apple or AT&T could have ever imagined.

    The iPhone 3 was released and pushed AT&T to upgrade their network to handle the new 3G traffic from not only the iPhone but all of the new Android phones that came after and copied the iPhone 3G and 3GS.

    After the 2 year contract ended the iPhone was offered to other carriers but Verizon was slow to take it because they are the kings of bloat ware. Apple offered only the same deal that AT&T had. Verizon doesn't promote the iPhone as much as Samsung and other Android phones, you'll find them in the back of the store and the employees offer them only when a customer asks about one. Verizon makes more money selling even a cheap Android phone and could care less about the quality of the hardware durability. Some they can't sell because they only come in GSM. The Google Nexus is a good example. GSM is a global standard. Verizon's CDMA is pretty much stuck in the U.S. That leaves AT&T and T-Mobile.
  • Reply 102 of 157
    gatorguygatorguy Posts: 24,176member
    sog35 wrote: »
    Stagefright has been around for FIVE YEARS.

    I can't imagine how many people got hacked on Android devices since then.
    Due to "Stagefright"? Apparently no one (yet?). FWIW the webview exploit AI reported months ago that supposedly exposed 900M Google Android smartphones to attack hasn't actually resulted in any attacks either. If it had compromised even a few handsets it would be all over the news.
  • Reply 103 of 157
    gatorguygatorguy Posts: 24,176member
    sog35 wrote: »
    many people won't report they were hacked.
    many have no idea they were hacked.
    Extremely doubtful it would have avoided the news if it happened as I'm sure you agree but won't acknowledge. It would be the perfect clickbait.

    IMHO this may be similar in danger to the supposed iOS keychain exploit that reportedly would expose nearly every iPhone to bad guys. Strangely reports of actual iPhones being taken over are non-existent. Malware stories make great page-view attractants tho.
    http://www.cultofmac.com/326567/mac-ios-malware-vulnerability/
  • Reply 104 of 157
    pmzpmz Posts: 3,433member

    The joys of an "open" OS.

  • Reply 105 of 157
    gatorguy wrote: »
    Due to "Stagefright"? Apparently no one (yet?). FWIW the webview exploit AI reported months ago that supposedly exposed 900M Google Android smartphones to attack hasn't actually resulted in any attacks either. If it had compromised even a few handsets it would be all over the news.

    That's quite the claim. You have any actual proof other than "if it happened it would have made the news"?

    Thank God we have Google Play Services so it can send out the fix to all affected devices at once. Oh wait, it can't. Like I've been saying for years now.
  • Reply 106 of 157
    gatorguy wrote: »
    Due to "Stagefright"? Apparently no one (yet?). FWIW the webview exploit AI reported months ago that supposedly exposed 900M Google Android smartphones to attack hasn't actually resulted in any attacks either. If it had compromised even a few handsets it would be all over the news.

    So security through obscurity? Or lack of reporting in the news? What kind of security is that? Wishful thinking?
  • Reply 107 of 157
    Quote:

    Originally Posted by Apple v. Samsung View Post





    Not quite Samsung, HTC, lg, and Motorola have been doing a great job supporting their devices. (I mean the time it takes to take source code recode to the specifics of a device and test it). International phones get updates in under two months and many cases now. Remember Android is not iOS and these things take longer when you don't make the software.



    I personally for my Android phone use CM12 so I have been patched.



    NONE of ANY Android devices sold for/through prepaid (Net10, Straight Talk, Tracfone, Boost etc.) get updates (actual carrier prepaid could be an exception), and that's a pretty decent chunk of the Android installed user base. 

  • Reply 108 of 157
    That's quite the claim. You have any actual proof other than "if it happened it would have made the news"?

    Gatorguy's "actual proof" is the fallacy of "absence of evidence is evidence of absence." He's desperate to exonerate Android.
  • Reply 109 of 157
    beltsbearbeltsbear Posts: 314member
    Quote:

    Originally Posted by mstone View Post

     

    Surely the exploit can do more than delete its own MMS message. Does the attacker get control of the device?




    They get control of the privileges of the preview section which is substantial including microphone, camera and all previous text messages as well as access to the internet to send and receive malicious data.  They do not get the whole phone unless there is a second exploit that can manage greater access. 

  • Reply 110 of 157
    beltsbearbeltsbear Posts: 314member
    Quote:

    Originally Posted by Gatorguy View Post





    Due to "Stagefright"? Apparently no one (yet?). FWIW the webview exploit AI reported months ago that supposedly exposed 900M Google Android smartphones to attack hasn't actually resulted in any attacks either. If it had compromised even a few handsets it would be all over the news.



    70% of the Android phones that are vunerable will not be updated.  So this will be different. 

  • Reply 111 of 157
    beltsbearbeltsbear Posts: 314member
    Quote:

    Originally Posted by pmz View Post

     

    The joys of an "open" OS.




    Android for the most part is not open.  Most people do not have root nor complete source code for what is in their phones.  Ubuntu is an example of an open platform.  If this were a real open platform there would be an update for just the problem part of the code.  That is MUCH harder with Android due to its locked nature.  

  • Reply 112 of 157
    kpluckkpluck Posts: 500member
    Quote:

    Originally Posted by DaveN View Post



    To Google's credit, they applied the supplied fix quickly to their internal builds. On Android user's detriment, most will never be able to obtain the fix because of the way Google licenses Android.

    Ok, I will bite...please explain how the way Google licenses Android is responsible for OEMs not updating their phones and also is responsible for the way cell carriers hold up updates.

     

    -kpluck

  • Reply 113 of 157
    gatorguygatorguy Posts: 24,176member

    Thank God we have Google Play Services so it can send out the fix to all affected devices at once. Oh wait, it can't. Like I've been saying for years now.
    If all new Apple features can't be installed on ALL iPhones with an OS update it doesn't mean that iOS didn't have new features. Same with Play Services, bypassing carriers and OEM's. Despite your inferences or claims to the contrary it can take care of many security issues/enhancements and feature updates for nearly every Google Android handset in use. Just not ALL security issues/enhancements and feature updates.

    ...Just "like I've been saying for years now". :rolleyes:
  • Reply 114 of 157
    gatorguygatorguy Posts: 24,176member
    beltsbear wrote: »

    70% of the Android phones that are vunerable will not be updated.  So this will be different. 
    To be more accurate If the security researcher who discovered this is correct only 11% of Google Android handsets have a significant exposure. There's not much it can do in handsets with Jellybean or better. But of course those old handsets are the ones least likely to be updated so it's still a potentially very troubling problem. After the upcoming Blackhat conference there will no doubt be more details appearing on the blog sites.
  • Reply 115 of 157
    gatorguygatorguy Posts: 24,176member
    sog35 wrote: »
    Nexus phones older than 2 years also won't be updated by Google.

    Basically about a hundred million to two hundred million Android phones will be open to attack without any updates.
    I don't think Google ever said Nexus devices older than 2 years would not get any updates. You may be misreading it. I thought there was a mention once that they were only guaranteed updates for 18 months tho even that might not be accurate.

    Just as a note according to the researcher, on the devices that are exposed to the exploit:
    "In general the attackers will get access to the microphone, camera and the external storage partition, but won't be able to install applications or access their internal data."
  • Reply 116 of 157
    patpatpatpatpatpat Posts: 628member
    Quote:
    Originally Posted by sog35 View Post

     

     

    Nexus phones older than 2 years also won't be updated by Google.

     

    Basically about a hundred million to two hundred million Android phones will be open to attack without any updates.


    Utter bullcrap. I have a Nexus 4 from 2012 which is happily running the latest Android 5.1.1 from Google.

     

    I also have a 2012 Nexus 7 which got an Android 5.1 update in March.

  • Reply 117 of 157
    stevenozstevenoz Posts: 314member

    I thought this article was poorly written in that it didn't say what the exploit does... only that various things trigger the execution of code.

    What does it do? Does accessing StageFright in Android allow for full-control or what? What is happening with the multiple executions of code? This article was a rip-off of another article that doesn't clarify it either.

  • Reply 118 of 157
    gatorguygatorguy Posts: 24,176member
    stevenoz wrote: »
    I thought this article was poorly written in that it didn't say what the exploit does... only that various things trigger the execution of code.
    What does it do? Does accessing StageFright in Android allow for full-control or what? What is happening with the multiple executions of code? This article was a rip-off of another article that doesn't clarify it either.
    See post 128. Most Android devices would not permit "full-control" according to the security researcher reporting on on it. Details aren't really known other than between Google, the OEM's and the researcher. Those details will probably hit the news after the 5th of August.
  • Reply 119 of 157
    davendaven Posts: 696member
    Quote:
    Originally Posted by kpluck View Post

     

    Ok, I will bite...please explain how the way Google licenses Android is responsible for OEMs not updating their phones and also is responsible for the way cell carriers hold up updates.

     

    -kpluck




    By not requiring that OEMs make security updates available to the phones' owners. Android isn't free and open like Linux. OEMs are required to have Google as the default search engine and retain other Google services. Funny how Google requires things of it's OEMs when it is in Google's interest but doesn't require things of OEMs 

    Quote:

    Originally Posted by kpluck View Post

     

    Ok, I will bite...please explain how the way Google licenses Android is responsible for OEMs not updating their phones and also is responsible for the way cell carriers hold up updates.

     

    -kpluck




    By not including a requirement that OEMs make security updates available to users. Google requires licensees keep profitable Google services in the system, why can't they require that OEMs make security updates available. As for carriers blocking it, carriers don't block iOS updates because of Apple requirements, why can't Google/OEMs require the same of carriers?

  • Reply 120 of 157
    gatorguygatorguy Posts: 24,176member
    sog35 wrote: »
    5.1 is almost a year old dude.

    So you just made the 2 year cutoff.  You are on your own from now on though.
    5.1.1, which is the version he referenced on his Nexus 4, a year old?? Hardly. It wasn't even announced until April this year AFAIK. The Nexus 4 running it was intro'd almost 3 years ago now, Oct/12. Even the previous version 5.1 wasn't announced until March this year. I swear sometimes you appear to be making stuff up assuming no one will notice.
    http://arstechnica.com/gadgets/2015/03/google-officially-announces-android-5-1/
Sign In or Register to comment.