Android gets stagefright; users get new security headache

From the August 6, 2015 edition of The Pueblo Chieftain

By Anthony Settipani

Last month, a security research firm claimed to have discovered a way to hijack nearly any Android phone, using only the target’s phone number.

Though the exploit has been known to phone companies since May, updates have been slow to reach the public due to the vast variation in carrier, device and manufacturer inherent in the Android platform. An estimated 95 percent of Android phones remain at risk.

“This level of hacking has never been seen,” said Ken Colburn of Data Doctors Computer Services and Data Forensics. “This is the most widespread and dangerous exploit we’ve seen on the Android platform.”

Colburn founded Data Doctors 27 years ago, and has been working in the information security industry ever since. He describes this as the worst security risk in Android’s history.

This “Stagefright” vulnerability, which allowed researchers to take control of phones simply by send- ing them an infected video message, was discovered and reported to Google in April by Joshua Drake, a researcher and vice president at mobile security company Zimperium zLabs.

“These vulnerabilities are extremely dangerous because they do not require that the victim take any action to be exploited,” Zimperium wrote in its blog on July 27. “Before you wake up, the attacker will remove any sign of the device being compromised and you will continue your day as usual — with a Trojaned phone.”

Colburn said there is so far no record of anyone caught using this vulnerability to try to steal information outside of a laboratory setting. If it were actually “in the wild,” he said, there is no limit to the damage a criminal could inflict.

“A good way of thinking about it is that he has your phone in his hand,” Colburn said. “Anything you can do with it, he can do, too.”

Stagefright affects all phones operating on Android versions 2.2 to 5.1, though those with the newest version, Android 5.2 “Lollipop,” are believed to be safe. Although Google issued its first patch back in April, phones whose manufacturers and carriers have not yet fixed the problem remain vulnerable.

“Because of how Android is set up, every version of the Android operating system is modified by each manufacturer,” Colburn said.

Carriers play a role as well.

“The Samsung phone for the Verizon network is different from the Samsung phone for the AT&T network. So there are three distinct parties involved.”

Last week, Colburn posted instructions online for how consumers can protect themselves from having their phones taken over by an infected message. The first thing to try, he said, is to stop using the auto-download and auto-retrieval feature on the phone’s messaging app. If the phone is old enough that it doesn’t have that setting, Col- burn said it’s best to stop using the app entirely. Finally, he recommended that users only download multimedia messages from trusted sources, and to stop using Google Hangouts video chat on Android phones.

Leave a Reply