Security bug could threaten 950 million Android devices

In recent weeks, at least two potentially frightening new vulnerabilities have been discovered that could threaten an estimated 95 percent of the one billion devices running the Android operating system. The good news is that as of this writing, there have been no documented attacks on Android devices that take advantage of these two security vulnerabilities. The bad news is that now that information on these security vulnerabilities has been widely published, as well as presented at the recent Black Hat hacker and security convention in Las Vegas, it may only be a matter of time until some bad guys start to take advantage of these security vulnerabilities.

Google, the progenitor of Android, was promptly made aware of the vulnerabilities as soon as they were uncovered, and has produced patches and fixes for many of the Android devices that have these vulnerabilities. The problems is that with the exception of a few models of Nexus smart phones supported directly by Google, it is up to the phone manufacturers or the cell phone carriers to release the upgrades and patches to close these vulnerabilities. At present, none of the major third party security software publishers provide any protection, leaving many of us vulnerable.

One of these newly discovered Android vulnerabilities was given the moniker “Stagefright” by its finder, Joshua Drake, vice president of platform research and exploitation at Zimperium. Drake first reported on the Stagefright vulnerability in April, disclosing his findings to Google, which quickly developed and provided security patches to its Android partners. Most of these Google partners who have not yet provided the patches to their respective customers may not do so for months, if at all; many phone manufacturers and carriers have explicitly stopped supporting and patching older Android phones, which are still in use by the millions. In several media interviews, as well as his Black Hat presentation, Drake explained that, “All devices should be assumed to be vulnerable.” As stated in a July 27 Forbes magazine interview, Drake said that he believes that as many as 950 million of the one billion Android phones currently in use may be vulnerable to the Stagefright vulnerability. Drake went on to say that only older Android phones running versions of Android below version 2.2 will not be potentially affected by this bug.

It is important for Android users to understand that Stagefright is not a virus or other form of malware that could infect a phone, but is instead a bug, or unexpected and unforeseen security vulnerability in the Android software itself. This vulnerability is in the heart of the Android software that processes, plays and records multimedia files.

According to Drake, the security vulnerability may allow a hacker to illicitly access the targeted device by simply sending an MMS message (text message) or multimedia file. What is especially nefarious about the Stagefright vulnerability is that it can be taken advantage of by a hacker without any action by the user; the victim does not have to open or click on anything in order for the hacker to access a device. It is also theoretically possible for a hacker to capitalize on this vulnerability when an unsuspecting victim opens a purloined video file on a website. Once a hacker has taken advantage of this security gap in Android, he can access the victim’s camera, microphone, and any data or images in the device’s external storage. On some devices the hacker can also gain root access to the inner workings of the device.

In order to easily determine if a particular Android device is vulnerable to the Stagefright vulnerability, Zimperium has released a free “Stagefright Detector App” available from the Google Play Store. A similar detector utility was just released by the security software company Lookout, which it simply calls “Stagefright Detector.” While these utilities will detect the vulnerability, it will still require a patch or other fix from the phone maker or the cell phone carrier supporting and updating the device.

When I first read of this Stagefright vulnerability and the availability of the detector, I downloaded and installed the detector. My year old Huawei Ascend Mate 2 phone, which had previously been upgraded by Huawei to Android Lollipop 5.1 (from 4.4), had the Stagefright vulnerability; coincidently, just yesterday (the day before typing this column), I received a patch from Huawei that, among other benefits, closed the Stagefright vulnerability on my phone. I reran the Stagefright detector from Zimperium to confirm the fix, and the vulnerability on my phone has definitely been patched by the recent update.

Another Android security vulnerability was disclosed at the recent Black Hat security convention. Well-known security company Check Mate disclosed this newly recognized bug, which it named “Certifi-Gate,” which may potentially allow a hacker to take control of a victim’s phone by utilizing the “Remote Support Tools (RSTs)” software that was installed on the phones by the manufacturers, often at the behest of the cell phone carriers selling those particular phones. Check Mate promptly notified the device makers and cell phone companies of the vulnerability.

According to Check Mate, there are millions of phones and tablets made by Samsung, ZTE, HTC, LG and other manufacturers that have incorporated this vulnerable “remote support” function software on their phones; according to Google, Nexus phones do not have this particular vulnerability. Using a security method known as digital certificates, hackers can spoof or counterfeit these supposedly secure digital certificates, allowing them the same access to the internals and functions of the phone that had previously only been allowed to legitimate support personnel. Once the hacker has tricked the phone or tablet into accepting a spurious digital security certificates, he or she now has direct access to personal information stored on the phone and can turn on the microphone to remotely record conversations, track the location of the device and its user, and otherwise threaten the security and privacy of the victim.

While the device manufacturers and cell phone carriers were promptly notified of the vulnerability, it may be months, if ever, before they push the patches to this newly discovered vulnerability. Users can download a free utility that will show the user if a device is vulnerable to this remote support vulnerability. Written by Check Mate, the utility “Certifi-Gate Scanner” can be downloaded directly from the Google Play Store.

According to Check Mate, in order for hackers to take advantage of this vulnerability, the user must first download and install an application that contains the code that gives the hacker the access. The Google Play Store continuously monitors the apps that it makes available, checking them to make sure that they do not contain any malware. Check Mate advises that users to install applications from a trusted source, such as Google Play.”

With the continual battles among users who seem to love arguing iOS and iPhones versus Android devices, iPhone users should not gloat over these Android vulnerabilities. At the Black Hat convention in 2013, which is where many hackers and crackers rub shoulders with security experts, the vulnerabilities of iOS devices, specifically iPhones, was discussed. In one of the presentations, despite the false but widely held belief that iPhones are immune to attack and are very secure by nature, researchers from the Georgia Institute of Technology were able to inject persistent, undetectable malware into iPhones, iPads and other iOS devices using the latest generation of the iOS operating system. Using a modified USB charger, nicknamed “Mactans” after a type of black widow spider, the researchers were able to compromise any current generation Apple device in under a minute.

Check your smart phone for these vulnerabilities, and do not download apps from any source other than reputable sources such as the Google Play Store or the Amazon App Store. Do not open any text messages from people that you do not recognize, although text messages can be spoofed just as e-mails are frequently spoofed. If you find that your device maker or phone carrier is providing a patch, update, or upgrade, strongly consider taking advantage of the offer and update your device immediately.


. . . . . . . .

Leave a Reply