Two weeks ago, a frightening vulnerability was discovered on Android phones. Dubbed Stagefright, it allows an attacker potential access to higher functions of your phone by simply sending you a text message with attached and infected media, such as a video or audio clip, or a photo. Luckily, this flaw was discovered relatively early by Zimperium zLabs VP of Platform Research and Exploitation, Joshua J. Drake. A patch was also provided by Drake and co. and Google was quickly alerted to the problem and solution both. End of story? Unfortunately no. Patching issues and new vulnerabilities have complicated things, and your android phone may be vulnerable a while yet.
The patch is indeed being delivered by Google to all of its own stock Android phones, including Nexus and HTC devices. Major vendors have all been alerted, and promises to patch or offer monthly fixes have been secured from Samsung, LG, Motorola and other major players. This means that a great majority of phone owners can breathe a sigh of relief. However, the trouble with Android is very similar to the Trouble with Tribbles. Even in the past year, device fragmentation has increased by 28%, even as OS fragmentation has declined. This means that while the big players are on board, and patching their phones, it is unclear how many outlier devices might still be affected. In addition, carriers often take over patching responsibilities from manufacturers, pushing their own updates and fixes. This makes it incredibly difficult to ensure that a vulnerability is patched on all affected devices.
Note any similarities?
On the heels of the Stagefright discovery, another vulnerability nearly as wide-spread has been discovered. This is the so-called “Certifi-gate” vulnerability, where weaknesses in the OpenSSLX509Certificate class for Android can be exploited by an app to gain system level access on your device by compromising the system_server process. This vulnerability does not affect all versions of Android, but it does affect the newest versions – anything version 4.3 and up. This totals over 55% of current devices.
A savvy attacker with knowledge of this vulnerability will infect your device by creating a small app (or game). This app will not ask for any unnecessary privileges, lulling the victim into a false sense of security. Once the app is installed, the attached malware changes memory values on the handset, using the OpenSSLX509Certificate flaws, and escalates privileges. The attacker can then replace existing applications already on the device, and begin harvesting data.
Again, a patch for the flaw exists, but users might have to wait to receive it from carriers and manufacturers.
Note: If you are concerned about the Stagefright vulnerability, and unsure if your device has been covered by Google or Manufacturer patches, learn how to reduce your vulnerability here.
Securing your Phone
The Trouble with Tribbles metaphor may not apply only to the proliferation of Android devices, but also to the potential vulnerabilities. Due to the difficulties of ensuring patches for over 24 thousand distinct devices, with hundreds of different carriers and manufacturers in play, each new vulnerability has far too long a window in which it can be exploited.
An automated patch system initiative may be the answer to reducing this window. Automated patch systems have yet to be implemented for a majority of Android devices and manufacturers. An industry commitment similar to that undertaken by the PC industry would be rquired to make this happen – something that has yet to occur. Until it is, it might be time to take more drastic measures to secure your phone.
Above, we posted a link to a video showing how to disable automated processing within messaging apps on your phone, in order to reduce the risk of exposure to the Stagefright vulnerability. The number of such convenience-based ‘enhancements’ on a stock android phone might be alarming enough, but if you include the variances of vendors and carriers, the number of potential vulnerabilities – location tracking, data mining, remote surveillance and more – the situation is downright untenable, for the security-minded individual. At any rate, the solution to many of these exploits is illustrated perfectly here: to eliminate a vulnerability, eliminate or reroute the point of access.
The best way to do this? Make sure your device cannot be subjected to escalation of privilege attacks. This can be done by locking down the device to a single application loader, accessible only by an external device management service. If your device cannot install or accept instructions from an on-device threat, the device cannot be taken advantage of, nor can the problem spread. Secure Phone operates in this way, ensuring that malicious software cannot gain a foothold on the device by forcing all applications to be pushed and installed by policies from our Secure Administration System. Even if installed through our back-end server, typical escalation of privilege attacks are foiled simply because the device itself does not allow the malware to perform mischief through its usual channels.
You can still add your favorite (or required apps to your Secure Phone device, but by uploading the APK to our servers, and pushing it via policy to your device. Obviously, the user has to be responsible for vetting any apps added in this way.
Simply put, an added step in implementing a service to your secure device can be the deciding factor in keeping it safe. Measure twice, and cut once. For a secure organization, this mantra should be especially enforced. Application purchase and downloads can benefit greatly from the same restraint advised when grocery shopping: avoid the impulse buy. With a Secure Phone, however, you don’t have to rely on your willpower to do so. And anything hiding in your cart jumps out on its own. No more Tribbles.
According to one source, Google has flubbed the first patch release for the Stagefright vulnerability. The exploit itself is fixed, in the sense that devices are no longer accessible for take-over. However, one of the latter patches creates (or rather leaves open) a new vulnerability that could allow denial-of-service attacks by crashing the device. Details on this "flubbed patch" can be found here.
We hope you'll continue to follow us, as we update you on the latest security and privacy related stories.