Pages

Thursday, 30 July 2015

950M phones at risk for ‘Stagefright’ text exploit thanks to Android fragmentation


Android mascot brokenWell, this isn’t exactly what we expected to wake up to: Joshua Drake of Zimperium zLabs says a simple text message hack could put 950 million Android phones at risk, he said to Forbes, in what could be one of the most serious exploits ever to hit the mobile OS — with only devices running Android 2.2 or older not affected by it.


The bug is part of Stagefright, a piece of code in Android that plays back media in MMS (multimedia message). All a hacker needs to do is send an MMS containing the exploit to the phone number of an Android device, which would let him or her write code to it and access any part of the phone that Stagefright has permissions for.
Android market share
Drake says he originally told Google about the exploit back in April and sent patches to fix the bugs. “Basically, within 48 hours I had an email telling me that they had accepted all of the patches I sent them, which was great,” he said to NPR. “You know, that’s a very good feeling.” The problem is, Android OS is notoriously difficult to update unless your carrier and phone vendor both play ball and coordinate a patch rollout.
Adrian Ludwig, Android Security’s lead engineer at Google, told NPR, “The flaw ranks as high in their hierarchy of severity; and they’ve notified partners and already sent a fix to the smartphone makers who use Android, [but] whether it gets put into people’s phones is not in Google’s hands.”
This is what happens when you put OS updates in the hands of companies that would rather sell you a new device than spend the effort patching the one you have, especially when there are hundreds and hundreds of different models out there, each with their own custom code on top of Android and woven into it in various fashions. Patching it will be a nightmare, and will depend entirely on how each manufacturer and carrier approach and resolve the problem individually.

No comments:

Post a Comment