NPR article re: security problem

enb123

Well-known member
Mar 25, 2011
93
1
0
Visit site
I'm gonna guess that this is probably a lot of FUD, but it would be interesting to know how people here feel about it:

Major Flaw In Android Phones Would Let Hackers In With Just A Text : All Tech Considered : NPR

It sort of sounds like a flaw within Hangouts and, to a lesser extent, Messenger, which Google could patch without a broad-based OS update. The exploit is a result of videos being automatically downloaded and ready to play without a user having to allow that in Hangouts. But it's presented as the end of days!

Thoughts?
 

monsieurms

Well-known member
Sep 30, 2011
1,540
59
48
Visit site
Well, it's a good introduction. I do understand that Rome is not built in a day. But we need a lot more investigation.....for the next steps.

--What do security experts recommend at this point? Can people like Lookout do anything about this? In looking at Lookout, they don't even seem to mention StageFright as a threat!!
--What plans do the carriers have to address this?
--Is there any carrier who has already fixed it? For instance, it wasn't long back that I upgraded to Lollipop. That was after this patch issued by Google. Was it included by T-mobile? I'm going to look.
 

LockOnTech

Well-known member
May 3, 2014
67
0
6
Visit site
Well, it's a good introduction. I do understand that Rome is not built in a day. But we need a lot more investigation.....for the next steps.

--What do security experts recommend at this point? Can people like Lookout do anything about this? In looking at Lookout, they don't even seem to mention StageFright as a threat!!
--What plans do the carriers have to address this?
--Is there any carrier who has already fixed it? For instance, it wasn't long back that I upgraded to Lollipop. That was after this patch issued by Google. Was it included by T-mobile? I'm going to look.

At this point, it is a matter of waiting for the solution. Compared to the lenovo superfish mess, google just can't leave this unattended.
 

monsieurms

Well-known member
Sep 30, 2011
1,540
59
48
Visit site
At this point, it is a matter of waiting for the solution. Compared to the lenovo superfish mess, google just can't leave this unattended.

According to various articles, Google fixed this months ago. The problem is that the carriers may not have rolled out the fix.
 

Dark Penguin

Well-known member
Aug 21, 2011
415
2
18
Visit site
I saw this problem reported on Spiegel.de ("Die Mutter aller Android-Schwachstellen") .

Can we protect ourselves by disabling MMS, or messages that contain video attachments?
 

monsieurms

Well-known member
Sep 30, 2011
1,540
59
48
Visit site
I saw this problem reported on Spiegel.de ("Die Mutter aller Android-Schwachstellen") .

Can we protect ourselves by disabling MMS, or messages that contain video attachments?

I contacted Lookout, and they responded as follows:

"Currently it's not possible for Lookout to fix this flaw or prevent your device from being affected....You can mitigate the potential for automatic execution of the vulnerability by disabling auto-downloading of MMS on your device. To do this, open the messaging app you use and disable automatic downloading of MMS in the apps settings."
 

Eclipse2K

Well-known member
Mar 22, 2011
5,722
107
0
Visit site
Then I am surprised, how is this a carrier responsibility?

Google fixed this months ago so the fix is out there. Manufacturers such as Motorola, Samsung, LG, etc. have to make the update. Once done, the carriers have to test it before they push it. Although, with an update this crucial, I bet even Verizon wouldn't hesitate to push it.
 

oneeyecarpenter

Well-known member
Jul 6, 2014
109
0
0
Visit site
Hi,

This issue will be fully disclosed at Blackhat USA 2015 this week. Google used the patches provided by the researchers. HTC and others started to incorporate these at the beginning of July. It will only be included in very few products so far,but a factory reset in newer lollipop devices may do the trick for some.CHECK FIRST with your manufacture. Everyone else will need to disable video autoloading in their messaging apps,hangouts and what's app included,along with all other third party messenger apps. Avast blogged about this,and no mobile security app can protect you on this.https://blog.avast.com/2015/07/29/big-brothers-could-be-watching-you-thanks-to-stagefright/

This is as serious as it gets,contrary to AC and Google down playing it. Besides having your personal information stolen,who ever utilizes this vulnerability can spy on the device owners. This will be extremely bad for those in other countries with repressive regimes,but any government could use this at will,and you may never know it. For example,China may want to spy on Android users in the US,or any other country,and vice a versa. It's shameful that Phil makes light of this,and ridiculed the researchers.
 

monsieurms

Well-known member
Sep 30, 2011
1,540
59
48
Visit site
There was some indication that this only applied to versions below Lollipop and if you have a recent Lollipop update it includes the patch Google created.

Meanwhile, T-mobile says it's waiting on Samsung and will then get to it; Samsung says they are working on it:

"Samsung: "Google notified us about the issue, and we are working to roll out the software update as soon as possible. Samsung encourages users to keep their software and apps updated, and to exercise caution when clicking on an unsecure mail or link.""
 

Dark Penguin

Well-known member
Aug 21, 2011
415
2
18
Visit site
There was some indication that this only applied to versions below Lollipop and if you have a recent Lollipop update it includes the patch Google created.

According to what I've read, the versions affected are Gingerbread through Kitkat.

I haven't been keeping up with the latest developments, but do recall a lot of people with the S5 had problems with Lollipop, so I'm still holding off on that.
 

monsieurms

Well-known member
Sep 30, 2011
1,540
59
48
Visit site
According to what I've read, the versions affected are Gingerbread through Kitkat.

I haven't been keeping up with the latest developments, but do recall a lot of people with the S5 had problems with Lollipop, so I'm still holding off on that.

As between some possible blips with Lollipop and damage from Stage Fright, I'd upgrade as soon as possible if that does it.