Stagefright has exposed 95% of Android devices, 950 million devices in total.
Stagefright has arrived with aplomb, sending the mobile security industry into a worried frenzy and being branded as the’Heartbleed of mobile’.
Joshua J. Drake, a researcher at Zimperium zLabs, discovered the Android vulnerability after searching through Android Code, eventually unearthing what the company believes is ‘the worst Android vulnerabilities discovered to date.’
Writing on the company blog, Zimperium zLabs stated:
"These issues in Stagefright code critically expose 95% of Android devices, an estimated 950 million devices."
"Attackers only need your mobile number, using which they can remotely execute code via a specially crafted media file delivered via MMS. A fully weaponized successful attack could even delete the message before you see it. You will only see the notification.
"These vulnerabilities are extremely dangerous because they do not require that the victim take any action to be exploited. Unlike spear-phishing, where the victim needs to open a PDF file or a link sent by the attacker, this vulnerability can be triggered while you sleep. Before you wake up, the attacker will remove any signs of the device being compromised and you will continue your day as usual – with a trojaned phone.
CBR looked to the security experts to gauge how serious Stagefright might be and, more importantly, the steps that can be taken to mitigate the threats resulting from it.
1. Exceedingly rare and dangerous
Chris Wysopal, CISO and CTO at Veracode, said:
"This is Heartbleed for mobile – a remotely exploitable vulnerability that affects millions of Android-based phones and tablets. These are exceedingly rare and pose a serious security issue for users since they can be impacted without having clicked on a link, opened a file or opened an SMS.
"All an attacker needs to do is send an MMS to a user’s device phone number and sit back and wait for the malware to take over. It will be very interested to see how Google responds to this. They’ll have to drive the patch quickly and in a manner that impacts every affected device at the same time. Waiting for handset manufacturers or carriers to issue a patch would be problematic since it could take a month or more before each party issues a patch.
"This would leave a big window for an attacker to reverse engineer the first patch issued by whichever party to create an exploit that would impact any device. We’re likely to see Google force down a tool that addresses the vulnerability for everyone."
2. Security lies within
Remi De-Fouchier, VP at Gemalto, said:
"It’s worrying to see this potential issue with Android phones, but there are ways to secure important information and credentials mobiles through the use of Secure Elements inside the devices, such as latest generation SIMs and dedicated chips known as Embedded Secure Elements and Trusted Execution Environment, as well as using robust Mobile Software Security techniques to replace sensitive data by tokens and hide them inside the phone code.
"Although the purpose of this attack is unknown and it does not seem to culminate in the theft of data, future attacks most undoubtedly will be making it more imperative than ever that the right secure technologies (or security frameworks) are in place to keep personal information safe."
3. Will critical updates ever arrive?
David Kennerley, Threat Research Manager at Webroot, said:
"Google has patches available for support Android OSs it continues to support. But the bad news is that most smartphone manufacturers will need to implement the new code into their own Android OS flavours. This means manufactures are in complete control of when users will receives these critical updates. Past experience tells us some customers could be waiting a very long time – possibility forever."
"Smartphone manufacturers should take this as an opportunity to show how serious they are about defending the security of the customers who have already and deploy credible fixes asap. Something tells me this isn’t a story that isn’t going to go away anytime soon."
4. Beware text messages & Google Hangouts
Stephen Ward, Senior Director at iSight Partners, said:
"Since the vulnerability could be exploited with little or no user reaction and users are at the mercy of individual phone manufacturers to provide a patch, we believe exploitation poses a significant threat to vulnerable devices in the mid-to long-term.
"Until patches are made available and applied, users can mitigate the risk by not using Google Hangouts to receive text messages or opening text messages from unknown contacts."
5. A reflection of our ignorance
Trey Ford, Global Security Strategist at Rapid7, said:
This isn’t just about a particular scary vulnerability, and the great work by Mr. Drake, it’s about how dependent we have become upon code, and how ignorant, uninformed, and un-empowered we are to protect ourselves, especially when vendors stop taking care of new vulnerabilities.
"It doesn’t matter who builds your devices, if it runs on software, it requires regular updates. For this vulnerability, Android users should contact their carriers to find out when a patch will be made available. Users looking to buy a new mobile device should consider buying directly from the manufacturer – Apple, Google, etc. — as it more often than not enables you to get updates and patches directly, without waiting for carriers to update, test, and release their own software builds."