- New vulnerabilities have been found within Android that are not known to be actively exploited
- The vulnerabilities are tied to media playback tools and indexers
- Patches for Stagefright should begin to be released week of 8/2/15
Recently a security researcher revealed a series of high-severity vulnerabilities related to the native Android media player, Stagefright. The vulnerabilities carry serious security implications: an attacker could exploit them to remotely control and steal data from a device by sending the victim a multimedia message (MMS) packaged with an exploit or sending them to a website that contains the exploit.
A number of applications can process MMS content and thus receive exploits. It is thought that devices using Google Hangouts may be most at risk to Stagefright since a victim may not even need to open the message for an attacker to take control of the device. In some attacks the victim has needed to open their default SMS app and the message thread for the exploit to work.
Additional research has shown that multimedia viewed in a browser (i.e. a web video) could also be used to deliver the Stagefright attack.
Another vulnerability, dubbed Matroska, has also been released based on research by TrendMicro that affects Android devices running Jelly Bean (Android 4.3) through Lollipop (Android 5.1.1).
The Stagefright vulnerability appears to attack all Android devices running Froyo 2.2 to Lollipop 5.1.1 which is almost all Android devices in use today. Google was first alerted by a security researcher who included patches in April 2015. Google has since accepted the patches and sent security updates to its partners to be distributed to vulnerable devices.
The Matroska vulnerability affects the mediaserver service which Android uses to index media files located on the Android device. When the process opens a malformed MKV file, the service may crash and along with it, the rest of the operating system. It could also render the device silent (no ring tone, text tone or notification sounds). The user may have no idea of an incoming call or message and cannot accept a call. Additionally it is possible that neither party will be able to hear each other. The phone UI may also become very slow to respond or completely unresponsive. If the phone is locked it may not be able to be unlocked. The Matroska vulnerability was reported to Google on 5/15/15. Google acknowledged it and reported it as a low priority vulnerability on 5/20/15 identified as ANDROID-21296336.
Devices will remain vulnerable until it receives Google’s patches for these vulnerabilities. Nexus devices will receive a direct security update from Google for Stagefright next week (week of 8/2/15) according to a statement attributed to a Google spokesperson. Additionally they’ll be releasing it in open source when the details are made public by the researcher at BlackHat. Patches to non-Nexus devices could take weeks or months longer to be fully vetted and released by Google’s other partners.
Security vendors such as Lookout, Trend-Micro, Kaspersky and Symantec may have mobile security products to help protect against these and other vulnerabilities. If you use one of these products you should check with your vendor and what coverage they have for the Stagefright and Matroska vulnerabilities.
Matroska – none available at this time
Stagefright – it is believed that stopping the auto-fetching of MMS messages will help protect users. This will prevent an attacker from getting a device to automatically download a malicious video containing Stagefright exploits.
Disabling auto-fetching for:
Open Hangouts. Swipe from the left side to the right to pull out the menu:
Click “Settings”, then “SMS”
Scroll down and uncheck “Auto retrieve MMS”
Select “Multimedia message (MMS):
Uncheck “Auto retrieve”:
Scroll down and uncheck “Auto-retrieve”
Turn off/disable “Auto-retrieve”