A Word Of Fear For Android Devices

Introduction

If we talk about smartphones and android devices, then there are billions of billions users using Android OS worldwide. 1.5 million android devices are getting activated daily including smartphones, tablets and android wearable. If you keep this figure in mind then there are billions of users using android OS. These figures show just how popular android is right now. People like this Operating System very much. But due to increase of users, security concerns are rising.

Figure 2: Rising

If we talk about global market share of Android devices, then it is more than 82% worldwide. It means most of the smartphone users using Android OS. But with this increase of users now a days, mobile security is also at risk because a bug called StageFright has been detected due to which mobile security of billions of android users is at risk and this article describes all about StageFright.

Figure 3: Showing global

What is StageFright

According to Wikipedia.

“Stagefright is the collective name for a group of software bugs that affect versions2.2 (“Froyo”) and newer of the Android operating system, allowing an attacker to perform arbitrary operations on the victim device through remote code execution and privilege.”

Who discovered StageFright

A top Android researcher Joshua Drake (@jduck), who is working in Zimperium’s zLabs team, discovered the most vulnerable bug in Android OS escalation and was publicly announced for the first time on July 27, 2015. Zimperium’s team is also calling it ‘Mother of all Android Vulnerabilities’, as it impacts 95% or 950 million of all Android devices and do not require any interaction with the victim.

Why StageFright is the most vulnerable bug

It is most vulnerable because a hacker can get into your android device without interacting with the victim and can operate remotely or silently and you can never guess that you are the victim if you are not a techie and smart enough. Here below is a StageFright demo video released from Zimperium’s zlabs by Joshua Drake. In this video Joshua Drake is showing how a hacker can get into your device and what type of privileges he/she can escalate.

See StageFright Demo Video

StageFright Versions

Two versions are their which exploits an Android device:

  • StageFright 1.0
  • StageFright 2.0

StageFright 1.0

StageFright 1.0 fixed patch has been released from Google. StageFright chooses auto retrieval mms option of messaging app & chat apps to send malicious file into your Android device and silently get into it through the libStageFright mechanism (thus the “Stagefright” name), which helps Android process video files. Many text messaging apps — Google’s Hangouts app was specifically mentioned — automatically process that video so it’s ready for viewing as soon as you open the message, and so the attack theoretically could happen without you even knowing it. Google is saying that StageFright 1.0 is fixed. If I talk about my smartphone which is Motorola G, it got an update in which StageFright 1.0 patch is also there to fix it.

You can get an idea about StrageFright 1.0 from the following link:

Avast blog for StageFright 1.0

StageFright 2.0

According to Zimperium, a pair of recently discovered vulnerabilities make it possible for an hacker or attacker to get into Android device with a MP3 or MP4 like file, so when the metadata for that file is previewed by the OS that file could execute malicious code via website or a human being. In the middle of an attack it is built specifically for delivering these malformed files, this code could be executed without the user interaction.

“Zimperium claims to have confirmed remote execution, and brought this to Google’s attention on August 15. In response, Google assigned CVE-2015-3876 and CVE-2015-6602 to the pair of reported issues and started working on a fix.”

Is your Android device vulnerable for StageFright 2.0

According to Zimperium “In one way or another, yes. CVE-2015-6602 refers to a vulnerability in libutils, and as Zimperium points out in their post announcing the discovery of this vulnerability it impacts every Android phone and tablet going back as far as Android 1.0. CVE-2015-3876 affects every Android 5.0 and higher phone or tablet, and could theoretically be delivered via a website or man in the middle attack.”

What CVE is

I am talking about CVE but what actually CVE is?

CVE stands for Common Vulnerabilities and Exposures (CVE) system provides a reference-method for publicly known information-security vulnerabilities and exposures.

CVE-ID Syntax

There was an old version of CVE syntax also which is little bit different from the below defined syntax.

CVE prefix + Year + Arbitrary Digits [ New syntax implemented from Jan 1st, 2014 ]

So if someone says what is CVE-2015-6602, then we can easily describe it, that it is a threat ( Common Vulnerability Exposure ) which came in year 2015 having CVE-ID 6602. By putting CVE-2015-6602 on website: www.cvedetails.com you can get more information, resources and links for the particular CVE. I hope that now CVE-YYYY-NNNN is not a new thing for you. You are aware and you can answer if someone asks.

Figure 4: Fetching

The following figure is clearly showing the difference between old CVE syntax and new CVE syntax.


Figure 5: Showing
Image Source: mitre.org

How to know my Android device is affected by StageFright 2.0 vulnerability

Zimperium launched a tool StageFright Detector which tells us about StageFright vulnerability for our android device. You download their app from Google Play Store.

How to fight with StageFright 2.0 until the patch arrives:

  1. Try to not download mp3 or mp4 from your web-browsers.
  2. Avoid public networks.
  3. Secure your wi-fi connection with strong passwords.
  4. Pay attention that where and what you are browsing

OS which have fixed StageFright 2.0

Blackphone 2, is a smartphone in which phone is encrypted for tightening the security. The company named it Silent OS which is also made from Android open source.

Cyanogenmod OS have patched for StageFright 2.0

I am surprised what Google is doing, is Google seriously doing something to secure their OS like IPhone. iOS is much more secure than Android. iOS released updates in timely fashion to make it secure and for better performance and keeping eye on their store. I read the news 10-20 days ago that a Chinese app in iOS was trying to do getting information. Apple quickly blocked that app from their store. This is called secure environment with quick action.

Wrap Up

Although android device covered more than 83% market globally but if security issues will go on continuously people will lose their interest in android device. Billions of android devices are at risk. Privacy is also at risk. StageFright attacker can get access to your android device at root level and can do anything. Let’s see what will happen in coming months. Hoping better future for android device in terms of security.

About the Author