Ars reports on a serious Android exploit to be disclosed at the upcoming BlackHat:
Almost all Android mobile devices available today are susceptible to hacks that can execute malicious code when they are sent a malformed text message.
The vulnerability affects about 950 million Android phones and tablets, according to Joshua Drake, vice president of platform research and exploitation at security firm Zimperium. It resides in "Stagefright," an Android code library that processes several widely used media formats. The most serious exploit scenario is the use of a specially modified text message using the multimedia message (MMS) format. All an attacker needs is the phone number of the vulnerable Android phone. From there, the malicious message will surreptitiously execute malicious code on the vulnerable device with no action required by the end user and no indication that anything is amiss.
(Score: 3, Insightful) by Snospar on Tuesday July 28 2015, @02:47PM
The vulnerability works at such a low level that even though Google has issued a fix the code won't make its way to most handsets because it would require an update issued by the carrier and/or phone manufacturer and we all know how often that happens once phones are more than 3 months old!
Huge thanks to all the Soylent volunteers without whom this community (and this post) would not be possible.
(Score: 0) by Anonymous Coward on Tuesday July 28 2015, @03:45PM
Yes this is the crux of the issue(NSA feature?). I may dump the eco-system after this. At very least I would move to google branded phones... which is still not ideal solution as I do not trust them at all. I have a fairly new headset (Galaxy S5) and I don't expect this to be patched in under 6 months. That is not acceptable at all.
Assuming I have root privileges, what should I install instead? Is there anything?
(Score: 2, Insightful) by Anonymous Coward on Tuesday July 28 2015, @03:51PM
This shows that the process of going through the carriers must stop. It makes no sense to have the carriers as an impediment to software updates. I don't have to get my ISP to provide updates to Windows or Linux, I shouldn't have to have my carrier provide updates to Android or Windows (phone).
We need to have unlocked, and only unlocked, phones. We need to have generic phone platforms (like we have generic PCs) and put the control of the devices in the hands of those who pay for them - the consumer. I'm amazed this is not covered in anti-trust (or anti-combines) legislation.
(Score: 3, Interesting) by jmorris on Wednesday July 29 2015, @01:06AM
This would require people to buy their own phone instead of lease them from the carrier. And apparently few would buy the high end phones they currently lease so the handset makers would cry when the next quarterly report came out.
If people cared they can buy unlocked phones now. But they don't get updates either. Raise your hand if you think the Nexus devices will even get patched with the month. Anybody?
For all the abuse we joyfully heaped on Microsoft these many dark years of their misule of the desktop, at least at the late nineties they were trying to figure out how to do security. Google grew up in the UNIX world from day one, so what is their excuse? Hell, Android/Linux IS a UNIX operating system so again, what exactly is their excuse?
(Score: 0) by Anonymous Coward on Wednesday July 29 2015, @04:49AM
> And apparently few would buy the high end phones they currently lease so the handset makers
> would cry when the next quarterly report came out.
People buy expensive iPads instead of cheaper tablets, expensive Macs instead of cheaper Windows PCs and expensive SUVs instead of cheaper minivans. So, while some people would not buy top end phones, I don't think that few would. Prestige has a price.
I bought an unlocked phone and for me, it's cheaper than any "deal" I could get with a "free" phone. YMMV.
There's no reason why the phone services can't rent unlocked phones; they just have to lock the price into the contract. If you leave and take the phone, you get the rest of the bill. That keeps the initial cost for the user down (with a total cost over time that is higher). But an unlocked, generic phone would not have a problem with upgrades. It would work just like upgrading a Windows or Linux PC. The fact that you can't do that now is not proof it wouldn't work - it only demonstrates that the industry (makers, software providers and service providers) don't give a damn about getting genuinely useful products into our hands; they just want to take our money out of our hands.
(Score: 0) by Anonymous Coward on Tuesday July 28 2015, @04:41PM
If someone exploits this because your carrier didn't provide an update after Google issued the code fix, couldn't you sue the carrier for damages? I hope someone will do so and win. Carriers will only act responsibly if there's a cost involved for not doing so. Not that they are any special in this.
But also Google could do something: It could disallow carriers to get at Google's services for new phones if they didn't provide updates for the old phones. If not updating the old phones would mean that new phones from the same carrier will not get access to Google services, then I'm pretty sure the carriers will be keen on keeping the old phones up to date.
(Score: 0) by Anonymous Coward on Tuesday July 28 2015, @06:39PM
I'm sure the courts would just say that its the customers' fault for continuing to use the phone beyond its EOL, and that they acquiesced to the risks by not buying newer model.
(Score: 5, Informative) by physicsmajor on Tuesday July 28 2015, @02:53PM
Here is how to prevent automatic background downloading of MMS messages. Doesn't fix the problem but you'd have to click first, instead of having them silently execute.
https://www.twilio.com/blog/2015/07/how-to-protect-your-android-device-from-stagefright-exploit.html [twilio.com]
(Score: 1, Insightful) by Anonymous Coward on Tuesday July 28 2015, @04:02PM
the instructions are provided as a video or animated gif?
The world is ending. It may have ended. To witness that simple instructions now require a video tutorial to ensure that people can follow along. Maybe instead of eternal september, we now have a frozen turkey november. Because the same people will not know to defrost the turkey first prior to cooking, and require a video to explain why they can't follow the animated turkey preparation instructions on Thanksgiving since the turkey is still frozen.
*frozen turkey's in November being a US centric thing
At least toothpick instructions have not yet required a video. That'll be next, and Wonko will probably manage to follow the dolphins.
(Score: 3, Funny) by takyon on Tuesday July 28 2015, @04:14PM
https://www.youtube.com/results?search_query=toothpick+how+to [youtube.com]
[SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]
(Score: -1, Troll) by Anonymous Coward on Tuesday July 28 2015, @05:09PM
oh man, now you've done it, I never even thought to search the cesspool.
At least someone is reading my anonymous posting... well I will log in eventually, but if I own up to these comments, then people will know what I think about such things! It could ruin my political aspirations... but knowing people need that much assistance helps me determine what programs I can promise to cut funding for.
(Score: 3, Informative) by takyon on Tuesday July 28 2015, @06:03PM
Pseudonyms: the anons with "class".
[SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]
(Score: 4, Funny) by maxwell demon on Tuesday July 28 2015, @09:09PM
Object oriented anons?
The Tao of math: The numbers you can count are not the real numbers.
(Score: 0) by Anonymous Coward on Tuesday July 28 2015, @04:00PM
i don't get it.
wifi or GSM .. it's the same. the difference is the "capture portal/billing" function and the wattage output power ...
why can i not just go to a website "updatemyandroid.com" with my wifi-phone (via free wifi or paid GSM) click a link,
select my candy version and get an update?
anyways, i guess my tactics of waiting for a "mature" version until jellybean didn't pay off.
got newbie-beta-tester trampled nevertheless : (
dumb phone and SIM-less tablets for me ...
(Score: 3, Insightful) by tathra on Tuesday July 28 2015, @04:11PM
because every phone manufacturer has their own customized, proprietary version of android. there's no money in letting the idiotic consumers do their own updates. better to kill old models off after a few months and force them to buy the new model. yay capitalism!
(Score: 3, Touché) by WillR on Tuesday July 28 2015, @06:38PM
because every phone manufacturer has their own customized, proprietary version of android.
...and every carrier insists on having time to "test" every minor Android release "for quality"
(read: "sit on updates long enough that you'll just buy a new goddamn phone already, Jesus it's been nearly a year already you Luddite! UPGRADE YOUR PHONE! IT'S FREE*")
*"Free" as in $1200 spread out over 24 monthly payments.
(Score: 2, Insightful) by Anonymous Coward on Tuesday July 28 2015, @05:13PM
In this crazy world they make the slaves buy their shackles.
(Score: 0) by Anonymous Coward on Wednesday July 29 2015, @12:22AM
It's times like this that I am glad to be a fanboi . . . I am glad I am live in the walled garden . . .
(Score: 0) by Anonymous Coward on Wednesday July 29 2015, @10:12AM
I'm not a fanboy and don't live in a walled garden, and yet I'm not affected by it. Nor am I affected by this, [soylentnews.org] this, [soylentnews.org] this, [soylentnews.org] this, [soylentnews.org] this, [soylentnews.org] or this. [soylentnews.org]