Latest Android security exploit could leave more than half of current devices 'dead' & unusable
Yet another serious Android security issue was publicized this week, with the latest exploit rendering devices "lifeless," and said to affect more than half of units currently on the market.
The security flaw in Google's Android mobile operating system was discovered by Trend Micro, which reported the issue in May. But no fix has been issued, as Google acknowledged the report as a "low priority vulnerability" on May 20.
The flaw is said to affect devices running Android 4.3 Jelly Bean up to the latest version, Android 5.1.1 Lollipop.
By either installing a malicious app on an Android device, or directing users to a nefarious website, hackers can cause an Android device to become "apparently dead --?silent, unable to make calls, with a lifeless screen," Trend Micro explained. If the exploit is installed through an app, it can auto-start whenever the device boots, causing Android to crash every time the device is powered on.
In some ways, this vulnerability is similar to the recently discovered Stagefright vulnerability," they explained. "Both vulnerabilities are triggered when Android handles media files, although the way these files reach the user differs."
The "Stagefright" Android security issue was publicized earlier this week, and has the ability to affect even more Android handsets --?more than 950 million devices, according to one estimate. Stagefright is the name for a system service in Android that processes various media formats implemented in native C++ Code, and it can be exploited through a simple MMS message.
Unlike the issue discovered by Trend Micro, which has not yet been patched, Stagefright was fixed by Google in the latest versions of Android. But because many users are not running the latest version of the mobile operating system, the vulnerability is said to affect 95 percent of Android device owners, running version 2.2 Froyo all the way up to 5.1.1 Lollipop.
Most Android device owners simply cannot run the latest version of the operating system because of restrictions put in place by handset makers. In contrast, 85 percent of Apple mobile device users are running iOS 8 or later, its latest-generation operating system, while another 13 percent are on iOS 7.
Trend Micro cautioned this week that its new exploit and Stagefright could be just the beginning of other security issues to come.
"Further research into Android --?especially the mediaserver service --?may find other vulnerabilities that could have more serious consequences to users, including remote code execution," they wrote.
The security flaw in Google's Android mobile operating system was discovered by Trend Micro, which reported the issue in May. But no fix has been issued, as Google acknowledged the report as a "low priority vulnerability" on May 20.
The flaw is said to affect devices running Android 4.3 Jelly Bean up to the latest version, Android 5.1.1 Lollipop.
By either installing a malicious app on an Android device, or directing users to a nefarious website, hackers can cause an Android device to become "apparently dead --?silent, unable to make calls, with a lifeless screen," Trend Micro explained. If the exploit is installed through an app, it can auto-start whenever the device boots, causing Android to crash every time the device is powered on.
In some ways, this vulnerability is similar to the recently discovered Stagefright vulnerability," they explained. "Both vulnerabilities are triggered when Android handles media files, although the way these files reach the user differs."
The "Stagefright" Android security issue was publicized earlier this week, and has the ability to affect even more Android handsets --?more than 950 million devices, according to one estimate. Stagefright is the name for a system service in Android that processes various media formats implemented in native C++ Code, and it can be exploited through a simple MMS message.
Unlike the issue discovered by Trend Micro, which has not yet been patched, Stagefright was fixed by Google in the latest versions of Android. But because many users are not running the latest version of the mobile operating system, the vulnerability is said to affect 95 percent of Android device owners, running version 2.2 Froyo all the way up to 5.1.1 Lollipop.
Most Android device owners simply cannot run the latest version of the operating system because of restrictions put in place by handset makers. In contrast, 85 percent of Apple mobile device users are running iOS 8 or later, its latest-generation operating system, while another 13 percent are on iOS 7.
Trend Micro cautioned this week that its new exploit and Stagefright could be just the beginning of other security issues to come.
"Further research into Android --?especially the mediaserver service --?may find other vulnerabilities that could have more serious consequences to users, including remote code execution," they wrote.
Comments
He's our version of Donald Trump. Lots of noise, little follow up. Sorry.
It was laughable at the time and lampooned by the tech media, and rightly so - they were (and still are) regularly reporting serious Android security lapses/exploits.
Google didn't build Android, and what they did build has been rushed. It's what happens when the direction of the platform is in a constant state of reactionary-change and a company mission that changes with the wind.
Let’s see, the Wild Wild West vs the Walled Garden, what to do, what to do.
Of course security matters, particularly business-wise. If Android devices aren't relatively secure then users eventually look elsewhere, Apple or even perhaps Microsoft.
As someone mentioned yesterday Google decided early on that the best way to distribute Android was via OEM's and making it attractive was the best way to get them on board. Now that the platform is established it's time for Google to take better control of it, and maybe they are. Many of the OEM's appear to be putting a greater emphasis on timely updates. If they'd do as Moto does it would work well. Their OS updates sometimes get delivered to users devices even quicker than Google themselves get it out to Nexus models. No particular reason that other manufacturers could not do the same if they'd just make better choices on how Android is integrated with their handsets.
But as mobile OS's take over the market you can expect more and more of these "exploits" to pop their heads out of the ground. iOS recently had their own exploit that could cause the same continuous reboot if making a connection to a bad player with wi-fi.
https://www.yahoo.com/tech/no-ios-zone-exploit-lets-hackers-continuously-117171131494.html
iOS had it's own recent exploit that potentially affected every device via key-chain. (Has that been completely patched yet? I don't think so but maybe.)
http://arstechnica.com/security/2015/06/serious-os-x-and-ios-flaws-let-hackers-steal-keychain-1password-contents/
But advantage Apple here by far. I don't think they necessarily respond to security issues faster than Google does or perhaps even have fewer problems, but without hands being tied by outside manufacturers and carriers they can usually get the fixes out to users faster and that's what's important. Google is just going to have to take firmer control of Android IMHO.
While the original plan worked well, perhaps too well even, it's time to move on and be more Apple-like in the way Android is controlled. That's of course if regulatory folks in the EU will allow it.
AnywayiIn general mobile operating systems are considered far more secure than "desktop" ones. Maybe as they become even more intricate and interactive that might change. I hope not. In the meantime look for many more "discovered exploits" in mobile.
Don't worry. Google Play Services will send out a fix right away. /s
nice balanced response Gatorguy.
lets see if Google takes control of Android in the next few months.
Yes, his response actually said something instead of just bating the two of you into a prolonged fight.
As for Google being able to do anything, I think they're past that stage. As the article says, 95% of the existing Android phones are vulnerable and I'd bet at least half of those have no means to patch or update their phones, at least not easily. This is the Achilles heal of Android phones, lack of OS support by the multitude of vendors (all those "other" vendors). Microsoft at least made it relatively easy to update/upgrade PCs even when these PCs were made by sketchy vendors. Mobile devices are different. These vendors don't want to change anything. Only time will tell.
Unlike the issue discovered by Trend Micro, which has not yet been patched, Stagefright was fixed by Google in the latest versions of Android. But because many users are not running the latest version of the mobile operating system, the vulnerability is said to affect 95 percent of Android device owners, running version 2.2 Froyo all the way up to 5.1.1 Lollipop.
Stagefright is easily avoided by turning off auto-retrieve in the android messaging app. Not that it isn't a serious issue, it certainly is, but it is easy to thwart. It sounds like this problem can be rather easily avoided as well by sticking to the Google Play store and not visiting dodgy websites.
So, rule of thumb, if you don't want to know anything about your device stick with iOS, it is clearly a more secure mobile OS. However, if you are reasonably intelligent and equipped with common sense, Android will be fine for you as well.
It is nice that Trend Micro is letting us know of these things without overplaying the seriousness for their own financial gain.
-kpluck
For what it's worth I'm not the one doing any baiting. I was called out at least twice in this thread alone already. If I don't reply it just gets more "calling Gatorguy" posts. I don't go inviting anyone to come into a discussion they weren't already a part of as I believe doing so would be considered a form of trolling would it not? For instance you';d frown on me posting "Hey Rob53, now what do you wanna say? LOL!" if you hadn't been a part of the discussion, right?
I understand and agree, which is why I only included his posting so my comment was directed at him. I might not agree with all of your postings but as long as you post content instead of wasting my time looking through meaningless garbage (like a lot of people post), then I have no problem with your comments. Having everyone agree makes for a boring day.....
Stagefright is easily avoided by turning off auto-retrieve in the android messaging app. Not that it isn't a serious issue, it certainly is, but it is easy to thwart. It sounds like this problem can be rather easily avoided as well by sticking to the Google Play store and not visiting dodgy websites.
So, rule of thumb, if you don't want to know anything about your device stick with iOS, it is clearly a more secure mobile OS. However, if you are reasonably intelligent and equipped with common sense, Android will be fine for you as well.
It is nice that Trend Micro is letting us know of these things without overplaying the seriousness for their own financial gain.
-kpluck
Actually @kpluck I like to know quite a bit about my device (and its limitations) compared to what other options are out there. I (and others) consider me reasonably intelligent and I think I have pretty good common sense (all arguable points). To your point Android would be fine for me, but knowing what I know, I think iOS is pretty
; and I don't have to worry (most times, when using it). For the little bits of time where there have been legitimate issues, Apple addresses them in days/weeks/months (on the outside). But your statements are correct; just don't assume that all iOS users couldn't care less about how the devices actually work, what it is and isn't capable of and what kinds of kewl things Apple has done (yes, not totally by themselves, but still). One of my favorite reads is the annual iOS Security Guide, published by Apple. Check them out for some very interesting insight into how things work (if you care).
Stagefright is easily avoidable, just as you mentioned. Sticking to Google Play and not visiting dodgy websites will take care of the issue for most users as well (for the Trend found issue), but what happens if/when a legitimate site is linking to external content, or even legitimate content that has been tampered with. Or when say someone's visiting a legitimate site, or streaming a legitimate video and someone with enough access (MITM) is able to tamper with their traffic (lets say non-ssl/unencrypted traffic) and inject malicious content into the data stream, read by the users device and ...
It would be nice for Google to be able to get the fixes they do and will develop, out to users...
Let’s see, the Wild Wild West vs the Walled Garden, what to do, what to do.
Interesting comment lkrupp! Wild West was a frontier. Wild West attracted people looking for any break over civilization, aggressive pursuers of freedom or opportunity, and people who were put there against their wishes or who were tricked into going. Is that what Android is?
Fabulous.
Kudos. The "making stuff up" is good to go.
Of course security matters, particularly business-wise. If Android devices aren't relatively secure then users eventually look elsewhere, Apple or even perhaps Microsoft.
As someone mentioned yesterday Google decided early on that the best way to distribute Android was via OEM's and making it attractive was the best way to get them on board. Now that the platform is established it's time for Google to take better control of it, and maybe they are. Many of the OEM's appear to be putting a greater emphasis on timely updates. If they'd do as Moto does it would work well. Their OS updates sometimes get delivered to users devices even quicker than Google themselves get it out to Nexus models. No particular reason that other manufacturers could not do the same if they'd just make better choices on how Android is integrated with their handsets.
But as mobile OS's take over the market you can expect more and more of these "exploits" to pop their heads out of the ground. iOS recently had their own exploit that could cause the same continuous reboot if making a connection to a bad player with wi-fi.
https://www.yahoo.com/tech/no-ios-zone-exploit-lets-hackers-continuously-117171131494.html
iOS had it's own recent exploit that potentially affected every device via key-chain. (Has that been completely patched yet? I don't think so but maybe.)
http://arstechnica.com/security/2015/06/serious-os-x-and-ios-flaws-let-hackers-steal-keychain-1password-contents/
But advantage Apple here by far. I don't think they necessarily respond to security issues faster than Google does or perhaps even have fewer problems, but without hands being tied by outside manufacturers and carriers they can usually get the fixes out to users faster and that's what's important. Google is just going to have to take firmer control of Android IMHO.
While the original plan worked well, perhaps too well even, it's time to move on and be more Apple-like in the way Android is controlled. That's of course if regulatory folks in the EU will allow it.
AnywayiIn general mobile operating systems are considered far more secure than "desktop" ones. Maybe as they become even more intricate and interactive that might change. I hope not. In the meantime look for many more "discovered exploits" in mobile.
Google has been trying to shift the blame off to carriers and manufacturers for too long. This is entirely Google's problem in the making and they should have fixed this a long time ago. Microsoft/Apple/Linux all provide OS updates. Google, when it wants to, twists vendors arms (Asus, Samsung) if they have signed on to the OHA. And could easily have said that all OS updates for a device can be done by Google and if manufacturers wanted continued access to the Play Store, they needed to provide *immediate* driver and binary updates to Google. It would be Google's responsibility to generate a build for the device.
Now manufacturers can change the core AOSP software and add hooks deep into the OS with their skins and that could well mean this approach is not feasible to change the manufacturer's OS. But Google should be able to provide the latest Google experience OS so consumers can make the choice on whether they want to stick with Manufacturer skins or go with vanilla Android. A serious enough bug like this then at least provides consumers with an option.
But Google never considered OS updates to be a problem in the first place. I remember exchanging posts on a forum with Google's Dan Morill and he was adamant that this is non issue. That was 4 years ago. I hope that this public outcry and I hope it reaches mainstream news will force a rethink in Google.
The press makes a big deal about fragmentation which is a rubbish problem and also many so-called bugs. Its mostly rubbish and you are only going to get the malware on your phone if you pirate apps or are really so prone to phishing that no OS is safe. So while there may be a ton of malware written for Android, an infinitesimally small < 0.1% makes it onto an actual device in the US. Russia and China is another matter. But that's not Google's concern. Those devices don't have the Play Store. This one however is the real deal. The problem is in the stagefright media library and until it gets patched, band-aids like disabling auto retrieval of MMS is only going to stop one attack vector. Any app can use the library and while it would still have to get to your phone, life of malware authors has just got significantly easier. Maybe Google can figure something clever with the Play Services, but I hope it forces a better solution. A real one. I'm not too concerned about my devices. All my devices are rooted and safe and I'm sure within a couple of days of Google checking in a fix in AOSP, XDA will have a patch ready that I can use. But pity the non tech savvy users - the vast majority of them.
You are right about Moto and I had already decided that I'd either be upgrading my G3 to either a Moto, One Plus or a Nexus device. Talking with a wallet is the best way. But I shouldn't have to buy a Nexus device just to get OS updates.
There isn't much to induce me to go back to an iPhone any more. But Apple totally nailed OS updates (and Touch Id).
Pathetic Google.
Watch Gatorguy come here and make excuses.
You sure do send me a lot of invites. What excuse do you know of?
He's our version of Donald Trump. Lots of noise, little follow up. Sorry.
Yup.
At the very least @Gatorguy offers well reasoned and researched information.
I usually learn something from his posts regardless if it is something I want to hear. Accurate information cuts both ways. Either way I update my thinking.
Stagefright is easily avoided by turning off auto-retrieve in the android messaging app. Not that it isn't a serious issue, it certainly is, but it is easy to thwart. It sounds like this problem can be rather easily avoided as well by sticking to the Google Play store and not visiting dodgy websites.
So, rule of thumb, if you don't want to know anything about your device stick with iOS, it is clearly a more secure mobile OS. However, if you are reasonably intelligent and equipped with common sense, Android will be fine for you as well.
It is nice that Trend Micro is letting us know of these things without overplaying the seriousness for their own financial gain.
-kpluck
Common sense... You do realize its not the "only" unpatched bug that Google has decided to ignore, or can't patch.
Android seems even worse than Windows for security (if that is even possible!).
You've heard for of social engineering people to get them to click on things, even people with "common sense" and tech knowledge have done that. In this case, it would lead to side loading and a brick.
So... Basically, Android has to become Apple for people to solve these issue...
That constant wailing about the Walled Garden for 5 years from those morons, we have to forget all the crap they said?
Considering there are already several pending major unpatched security bugs on those older phones, do you think people should just close off every service, stop using it except for emergencies, just in case...
People should kick Google's ass and not accept this; it shouldn't be their responsability to make sure to tip toe around a bug (a broken down feature). They build a system broken by design and now they have to pay. Even now, in the latest versions, Google can't upgrade everything that's buggy without going through the carriers.
"Latest Android security exploit could leave more than half of current devices 'dead' & unusable"
Pop the bubbly! Great time to go iPhone!
(sparkling Apple cider is acceptable)
Wouldn't Android users just assume this is normal behavior for their cheap iPhone knock-off?
http://arstechnica.com/security/2015/07/major-flaw-could-let-lone-wolf-hacker-bring-down-huge-swath-of-internet/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed:+arstechnica/index+(Ars+Technica+-+All+content)