Please create an account to participate in the Slashdot moderation system


Forgot your password?
Security Android Google IT

Millions of Android Devices Vulnerable To New Stagefright Exploit 48

An anonymous reader writes: Security researchers have found yet another flaw in Android's Stagefright. The researchers were able to remotely hack an Android phone by exploiting the bugs. According to their estimation, the flaw exposes devices running Android software version between 5.0-5.1, or 36% of 1.4 billion, to security attacks. "I would be surprised if multiple professional hacking groups do not have working Stagefright exploits by now. Many devices out there are still vulnerable, so Zimperium has not published the second exploit in order to protect the ecosystem," Zuk Avraham, chairman of Zimperium, the firm which found the first Stagefright exploit told Wired.
This discussion has been archived. No new comments can be posted.

Millions of Android Devices Vulnerable To New Stagefright Exploit

Comments Filter:
  • Good (Score:5, Funny)

    by johanw ( 1001493 ) on Thursday March 17, 2016 @12:33PM (#51715785)

    A new nearly-universal root method is always handy.

    • Re:Good (Score:5, Informative)

      by AmiMoJo ( 196126 ) <> on Thursday March 17, 2016 @12:57PM (#51715991) Homepage Journal

      That's not what this is. TFP is careful to point out that all it gets you is executing arbitrary code in the process that is affected, in this case the browser. So you would need further exploits to get anywhere from there.

      Even that is difficult as it requires knowing certain things about the target device, like the exact ROM it is running. It also looks like Google should be able to mitigate is pretty quickly by updating Chrome and various system components via Play.

      • by emil ( 695 )

        Didn't Firefox eliminate all usage of stagefright in their browser? That might be safer still, especially considering that Google made this mess. Firefox brings along their own h.264 and webm codecs that can actually be updated - how shockingly innovative!

        It might be further prudent to purge any browser based on webkit/blink from Android. The "celebrated" fast browsers (maxthon, cmbrowser) have terrible scores at anyway.

        This is Google's problem with Android:

        Everyone knows that debugging is twice

    • Re:Good (Score:4, Informative)

      by GuB-42 ( 2483988 ) on Thursday March 17, 2016 @01:04PM (#51716059)

      Not when there is already an "official" method that requires a physical manipulation.

      A typical Android root method that is tolerated by manufacturers requires you to reboot, press a specific button combination, connect your device to a computer via USB and run a program on the computer. This way, you can be reasonably sure that the user is the one why initiated the root procedure and not some malware. Root has serious security implications, so anything that guarantees that it really is the user's choice is a good thing.

      Android is not iOS, there is plenty of choice for devices that can be rooted without shady exploits. We shouldn't rejoice when such vulnerabilities appear.

      • Just for clarification, there are official methods to bootloader unlock some phones (eg Google Nexus, HTC, Motorola, Sony, etc.), but not root. These methods vary by carrier. Generally carrier branded phones may be bootloader unlockable (AT&T HTC One M8/M9/A9) or not (Verizon HTC On M8/M9). Have to do research to figure this one out.

        Now with regard to root, root and bootloader unlock often go hand in hand, but they're not the same thing. You can have root on your system without having bootloader unlock

        • by Foresto ( 127767 )

          To expand on that, there are cases when a root exploit is preferable to a bootloader unlock. For example, when the official bootloader unlock procedure deletes all your applications and data, and permanently disables some of the features in your phone. (I'm looking at you, Sony.)

    • A new nearly-universal root method is always handy.

      To attackers wanting to steal your data, sure.

      For users, this is a bad thing. If you want to root your device, buy one that is unlockable and you won't need exploits. Meanwhile, OEMs need to keep their devices patched so that problems like this don't reduce the security of hundreds of millions of devices.

      That said, it's worth pointing out that Stagefright appears to have turned out to be much ado about nothing. AFAIK (and I work on the Android security team, so there's a high probability that I would kn

      • by brunes69 ( 86786 )

        I am a "user" and the only reason I entered this thread was to see if I could use this to FINALLY root my Galaxy S6 which has a signed bootloader and no root method.

        So, you're wrong. Users also want root methods for Android because carriers and manufacturers keep locking the damn bootloader

        • I believe that this has been repeated incessantly, but if you want complete freedom over your phone, get a Nexus.Samsung phones are great for average users, but thats it.
          • by piojo ( 995934 )

            It's really hard to get a phone that has complete freedom and isn't junk. The best compromise I've seen was the HTC m7. I heard the newer Nexus phones might not be as bad as the one I had, but it's going to be a few years before I'm willing to give Google another chance.

        • So, you're wrong. Users also want root methods for Android because carriers and manufacturers keep locking the damn bootloader

          If you want to root, why did you buy a locked phone? In the short term that's the only way you'll be able to do it reliably. In the long term that's the only way you'll be able to do it at all. As we keep tightening the security model exploits are going to get both rarer and less effective (SELinux is making it damned hard today to convert system exploits to root exploits).

          Perhaps more importantly, by choosing to buy an unlockable phone you're sending a message to OEMs, telling them that unlockability is

          • We don't all have Carle blanche options on what phones we can buy.

            • We don't all have Carte blanche options on what phones we can buy.

              Then your days of rooting are coming to an end. They may already have come to an end; it's possible that your Galaxy S6 will never have a workable rooting method.

  • by Aighearach ( 97333 ) on Thursday March 17, 2016 @12:57PM (#51715983) Homepage

    You need to put some basic technical information about what is affected in the summary. If you don't give that, it is just click-baity.

    Specifically, this affects Android versions "2.2, 4.0, 5.0 and 5.1. Other versions are not affected."

    If you use nerds for editors, that can help make sure that you include the right information in the summary so that users can evaluate if they want to click on the link, or not. We don't just click all the links because they were posted.

  • windows. Sorry Android...

  • Back when my phone was still reporting it was vulnerable, I took the step of disabling auto downloading of multimedia messages as it was the only way to be sure (Nuke it from Orbit)

    I only turned that back on after my phone passed all the known tests... At this point, It's not worth the risk - this whole StageFright thing seems to be just fundamentally bad, so I'm leaving the Auto Download off.

    I never once got a multimedia message from someone who wasn't already known to me, but I figure that the slight inco

    • by robmv ( 855035 )

      I am on a Nexus device, a properly patched Android, but still I removed the MMS configuration from the cellular network AP configurations. I don't use or receive MMS, so there is no need for it. It is another good option.

  • I downloaded Stagefright Detector on my Galaxy S7, and it says "Your device is not vulnerable to Stagefright. Everything is OK." Now if I could only get that kind of feedback in other areas of my life!
  • Note the FBI and President aren't publicly pushing for Google's help to unlock Android devices.
    Things like this explain why it's not necessary for the government to get help.

  • "This research shows exploitation of this vulnerability is feasible. Even though a universal exploit
    with no prior knowledge was not achieved, because it is necessary to build lookup tables per
    ROM, it has been proven practical to exploit in the wild."

    Especially the part that says "a universal exploit
    with no prior knowledge was not achieved".

      In other words to own it you must own it? Just kidding, excellent work .

  • I'm safe (Score:4, Informative)

    by JustAnotherOldGuy ( 4145623 ) on Thursday March 17, 2016 @05:32PM (#51718293)

    From the PDF: "The victim also has to linger for a time in the attack webpage"

    Since I don't use my phone for browsing*, I guess I'm safe for the moment.


    *Yeah, I just use it to make calls and take calls, and maybe snap the occasional picture. Weird, huh?

Live free or die.