– Android phone image by Bloomua, courtesy of Shutterstock –
Stagefright is a nasty security hole in Android that can be triggered by a booby-trapped multimedia file – the sort of content that can be delivered via an MMS message.
And the fact that Android’s default SMS/MMS apps are set up to download content automatically as soon as messages arrive has scared Samsung and Google into announcing that they’ll push monthly security updates for Androids.
Samsung and Google announced the new monthly updates on Wednesday, the same day that mobile security firm Zimperium’s Joshua Drake took the stage at the Black Hat security conference to explain how some 950 million Android phones could be trojanized by receiving a rigged message.
As Paul Ducklin explained it last week when news of Stagefright first broke, the default SMS/MMS apps in Android 4.4 (KitKat) and 5.x (Lollipop) are Messaging and Hangouts respectively, and their default configuration is to download MMS content in the background as soon as messages arrive.
Many nowadays favor more current messaging systems on their devices, like WhatsApp, Snapchat or Instagram, so a reminder of what MMS is – the acronym stands for Multimedia Messaging System – might be in order.
As its name implies, it’s like SMS but it also handles multimedia such as videos, sounds, and pictures.
At any rate, it sounds as though you’re in good shape if you happen to own a Nexus Android phone and if your carrier doesn’t get bogged down in wrapping its own software around the fix.
From Google’s announcement on Wednesday:
Nexus devices have always been among the first Android devices to receive platform and security updates. From this week on, Nexus devices will receive regular [over-the-air] updates each month focused on security, in addition to the usual platform updates. The first security update of this kind began rolling out today, Wednesday August 5th, to Nexus 4, Nexus 5, Nexus 6, Nexus 7, Nexus 9, Nexus 10, and Nexus Player. This security update contains fixes for issues in bulletins provided to partners through July 2015, including fixes for the libStageFright issues. At the same time, the fixes will be released to the public via the Android Open Source Project. Nexus devices will continue to receive major updates for at least two years and security patches for the longer of three years from initial availability or 18 months from last sale of the device via the Google Store.
That still leaves a long list of vulnerable Android phones, however: Zimperium listed 10 other vendors in its post about Stagefright.
Samsung Mobile is on that list.
Samsung said on Wednesday that it has fast-tracked security updates for Galaxy devices in light of Stagefright and is working with carriers and partners on those updates.
Stagefright has also spurred Samsung to adopt a monthly update cycle:
Samsung Electronics will implement a new Android security update process that fast tracks the security patches over the air when security vulnerabilities are uncovered. These security updates will take place regularly about once per month.
Samsung promised more details about specific models and said that timelines for release of the fixes will be out soon.
But while Google and Samsung might be on the fast track with fixes, some of the phone carriers seem to be traveling on stagecoaches whose wheels have gotten stuck in the mud.
As of Wednesday, Sprint was set to start pushing out updates to the Nexus 5 and Nexus 6, as well as Galaxy S6, S6 Edge, S5 and Note Edge devices.
But T-Mobile, for one, couldn’t even give me a good guess as to when it’s going to push out updates.
This is how we get the mud puddle where vendors and carriers get stuck: vendors use Android along with their own software, and Google has left it to the vendors to get updates out to users.
That could put Android users in the position or getting a fix for a known vulnerability months late, if they ever get it at all, because Samsung or T-Mobile or fill-in-the-blank vendor or carrier just couldn’t get its act together.
So while Samsung and Google are now intent on adopting a regular update cycle (meaning that they should always have a chance to get a fix out within the next month), that still leaves many of us at the end of the Google-vendor-carrier string, waiting for updates to trickle down.
The good news about Stagefright is that, as far as Zimperium’s Drake can see, there are no attacks in the wild.
(Yet, and only as far as one researcher can see.)
As well, as Google lead engineer Adrian Ludwig told NPR, about 90% of Android devices are protected with a technology called ASLR, short for Address Space Layout Randomization.
ASLR generally makes buffer overflow and related vulnerabilities much harder, though not impossible, for attackers to exploit.
That’s a bit of a comfort, but it’s short of a fix.
While we wait for fixes to trickle down from our respective phone vendors and carriers, there are things we can do to lessen our risk, as we outlined last week.
Mark
Here is a response received from Samsung which I think highlights an issue with vendors not adequately supporting their products and pretty much making smartphones disposable tech
Thank you for your email. Your customer reference number is #####.
In regard to your recent email, I can confirm that I have looked further in to the Android versions for your Samsung Galaxy S2.
Unfortunately the Galaxy S2 does not meet the hardware criteria needed to be able to run the more recent versions of the Android Software. With this being the case, your device is only able to run Android 4.1.2 and it is unlikely to receive any further software updates.
I apologise for any inconvenience this may cause.
Paul Ducklin
Root it and install Cyanogenmod or some other alternative firmware?
JC
As one who has not acquired a smartphone yet but plans to do so soon (a late technology adopter, no doubt), I have been weighing I-phones v androids. While nothing is perfect, this does it for me – Android phones are just not secure. I-phone it is for me.
robert
Windows Phones are great. Microsoft can release security updates directly to the devices when necessary and just did so about a month ago. Highly recommend you taking a look.
Anonymous
Don’t buy one that isn’t rootable, It will be worthless when you get tired of the preinstalled malware – not to mention loose resale-repurpose value.
Spike Nutter (@5pikeeee)
Google still take forever to release even on Nexus devices. I’ve a N5 which has yet to receive this update.
Same with the 5.x.x releases. My colleague received said update(s) or I did while the other had to wait weeks for the same update.
Both phones were purchased from the Google Play UK store on release day. Both stock and unrooted.
I understand and get staggered releases but sometimes it’s a joke since the released Lollipop
Laurence Marks
Lisa wrote “At any rate, it sounds as though you’re in good shape if you happen to own a Nexus Android phone and if your carrier doesn’t get bogged down in wrapping its own software around the fix.”
What about the situations where carriers aren’t involved?
1) I bought a Moto-E 2nd Generation directly from Motorola and use it on a Bring Your Own Device program. Not sure when Motorola will send an update. Just tried Settings–>System–>System Updates and nothing new was available.
2) What about all the “orphan” tablets? Most aren’t vulnerable to malicious MMS messages but have never been updated for Heartbleed or other malware that can be propagated over wireless networks.
The whole AOSP program is deficient in that it lacks requirements for updates. Any manufacturer of an AOSP device ought to be contractually held to provide security updates for at least 5-10 years.