Modern field guide to security and privacy

Widespread Android vulnerability could turn phones into spycams

The newly discovered flaw affects software found in Android devices dating back to 2010. Even though Google has released a fix, that won't help Android users who still rely on operating systems the company no longer supports. 

|
Reuters/File
A woman talks on her phone in front of an advertisement promoting Samsung Electronics' Galaxy Camera at the company's headquarters in Seoul.

A security flaw in Google's Android mobile operating system allows attackers to take control of someone's device just by sending a text message – and the recipient doesn't even have to open it. 

While Google has released a patch for the widespread vulnerability found in its Stagefright multimedia playback engine in the Android OS, the fix won't help millions of users with older versions of the system that Google no longer supports. Android has deployed Stagefright since its 2.2 release in 2010.

But perhaps more concerning than this flaw is the fact that Stagefright seems so poorly coded that it's ripe for other major security issues, says Joshua Drake, senior director of platform research and exploitation at the cybersecurity analytics firm Zimperium.

"My only reservation about calling this bug the Stagefright bug is that I highly doubt this is the last time we’ll have to talk about Stagefright," says Mr. Drake, who publicly revealed the vulnerability on Monday.

Google declined to comment about the quality of Stagefright code or the testing practices to evaluate the code for security flaws. The company did, however, release a statement thanking Drake for work in revealing the vulnerability.

One use for Stagefright is preprocessing videos sent over text message or through some third-party apps. The bug in the multimedia engine means that attackers could send a text message with a malicious video file and infect the mobile device without a recipient actually clicking to open the file.

“[A hacker] could even delete that text message and delete the evidence of the attack,” says Drake.

By exploiting this vulnerability, an attacker could gain control over Bluetooth, video, audio, and the microphone – enough to turn a phone into a spycam. On many phones, an attacker could gain complete control of the device.

News of the Stagefright bug also raises questions about Google's update policy for the Android operating system. Currently, Google provides patches the two most recent operating systems it still supports – KitKat and Lollypop.

Unlike the Apple iPhone, in which 84 percent of users run the current operating system, Android users regularly lag behind in updates. Only around half of the 1 billion Android users run Lollipop or KitKat, meaning some 500 million phones still susceptible to the Stagefright attack.

Security professionals have long been critical of Google over its Android update practices. When bugs affect Android versions that Google still supports, the company writes a patch, sends it to phone manufacturers, and counts on companies such as Samsung or Motorola to update their customers' phones. But many manufacturers do not treat updates with urgency. If a bug affects a version of Android that Google no longer supports, phone manufacturers can develop patches on their own, but few ever do.

"The problem is that devices sold today have no warning system as to if they will ever be updated," says Todd Beardsley, research manager at the security firm Rapid7.

While it’s possible to change Androids settings to prevent the phones from automatically downloading video from text messages, that still may not be a complete fix for Android users who don't receive the patch for their phones, says Drake, the Zimperium researcher. “The best I can say to people without the patch is to make sure they trust anyone with their phone number."

 

You've read  of  free articles. Subscribe to continue.
Real news can be honest, hopeful, credible, constructive.
What is the Monitor difference? Tackling the tough headlines – with humanity. Listening to sources – with respect. Seeing the story that others are missing by reporting what so often gets overlooked: the values that connect us. That’s Monitor reporting – news that changes how you see the world.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.

QR Code to Widespread Android vulnerability could turn phones into spycams
Read this article in
https://www.csmonitor.com/World/Passcode/2015/0727/Widespread-Android-vulnerability-could-turn-phones-into-spycams
QR Code to Subscription page
Start your subscription today
https://www.csmonitor.com/subscribe