Stagefright: how to protect themselves from the flaw affecting Android devices?

Earlier this week, a serious security flaw was found in the source code to AOSP, based on Android. Security researchers at the basis of the discovery back in a little more detail on the operation of an attack and give some tips for protecting yourself.

For those who have not followed the activity of the beginning of the week, Joshua Drake, a computer security expert working for the company Zimperium found in the source code to AOSP (based on Android) a security hole extremely serious. It relates in fact to all terminals from Android 2.2 to Android 5.x (and therefore 5.1.1). The flaw was named Stagefright since it was found in the AOSP media library that name. In fact, you only receive a MMS corrupted for a hacker to have access to certain features of the phone.

50% of infected devices upon receipt of MMS

Zimperium back a little more detail on the options available to hackers. If one believes the firm, 50% of the terminal could be infected when receiving an MMS, not opening. We imagine then that the company refers to all devices using Hangouts default email software that automatically processes the MMS before opening, unlike the software by default in Android that handles MMS when played by the mobile user.

Disable automatic recovery of MMS

Zimperium recommends users to disable automatic retrieval of MMS in the mailer by going for a walk in the application settings. In this way, the user will see an MMS awaits an unknown contact, but it will then retrieve it manually to start the attack. Deleting the MMS thus solve the problem. However, the flaw will always be present, and it will then be possible for an attacker to go through another means, for example the creation of an Internet page containing a video pockmarked. In this case, there is no possible protection, if not the browser update, like the version 38 of Firefox that fixes the flaw since last May.

A different risk based terminals

The firm says a few more risks in the attack. On some devices, the hacker will be able to run code with the privileges and media use audio and video capabilities of the device, for example spy on the user. On other devices, the hacker can access the system outright privileges to almost complete access to all features of the terminal. Even without these privileges, a rather clever hacker could successfully perform elevation of privilege to access personal data of the victim such as messages, contacts, email, etc. or even cloud services. Zimperium also states that an attack completely silent (without displaying a notification on receipt of MMS) is possible.Regarding the risk depending on the version of Android, Zimperium merely indicate that the Android versions prior to 4.3 Jelly Bean (representing 11% of the current fleet of terminals) are most at risk and we imagine that it is these that allow code execution with system privileges.

Updates that are lagging

Companies using the security solution offered by Zimperium (not available for an individual) are already protected from the flaw, even without updating the source code of Android. We also know that PrivatOS Silent Circle has been updated to version 1.1.7 to fix the flaw and that Google plans to offer an update in the coming weeks on Nexus. Cyanogen was also reactive because CM12.0 versions and CM12.1 nightlies ROM were patched there are several weeks. For other manufacturers, we imagine that the security update will take time to arrive, between internal validations and certifications operators. To expedite the process, Zimperium offers OEMs and mobile operators to directly send the patch. Finally, researchers will put online a video of the feat in the week. The exploit will be released on August 5 at the BlackHat conference.Of course, we imagine that the company Zimperium - including Joshua Drake is director of research and operations division - taking advantage of the media coverage they attract to customers and lucrative contracts. However, it welcomes the attitude of Joshua Drake was paid 1337 dollars by Google to have found the flaw when he could resell hundreds of thousands of dollars to governments or groups of hackers.