Patch Problems for Android “Stagefright” Malware

Two weeks ago we reported on a vicious piece of malware threatening Android users across the globe, the so-called “Stagefright” bug. After a long wait, and numerous frustrated Android users, the developers of the world’s most popular operating system have finally begun to implement a patch, but not without its own problems.

The release of the patch was announced on the Android community website on 6 August, though for many this has only increased frustration because at present the patch is only available to certain phone types. What’s more, a recent report suggests that there are problems with the patch itself.

Stagefright

According to the expert security report that first identified the malware, all devices running the Android operating system, particularly smart phones, are under threat of a breach in data security. In the case of phones, hackers can easily access personal and confidential data simply by attaining a targeted user’s phone number.

Essentially, all a hacker has to do to exploit the bug is to send the user a text message with a malicious attachment, which would then allow the hacker instant access without the user even opening the text. Once the hacker has gained entry, s/he may access any of the data stored on the phone, including documents, passwords, photos, and other files, as well as being able to control any of the phone’s features, including the camera, microphone, the messaging app, and the video and audio functions.

As we reported, Android’s very own Hangouts app makes it easy for hackers to access personal data because it processes video attachments instantaneously, making them easily available in the phone’s gallery. However, the risk of a breach is lessened for those using Android’s messaging service, MMS, since users need to open a text message before the attachment is processed.

The emergence of the bug has left Android users in disarray. The operating system is the most widely used in the world boasting 80% of all phone users. When the bug was first discovered by security experts Zimperium there was an estimated 950 million users at risk, pretty much every Android phone in operation. Admittedly, that number has fallen, though the patch has taken a long time to trickle down to users.

The patch

Thus far, Google has delivered the patch to OEMs, carriers, as well as their partners. What’s more, they’ve started sending updates out to subscribers, but currently only to those with the newer Samsung smartphones. This has led many critics to predict that newer models will be given priority, and as of yet it’s unclear when the patch will be made available to older models.

According to the Android community the fix is now available as an update, but only for AT&T subscribers with the following devices: Galaxy Note 4, Galaxy S6, Galaxy S6 edge, Galaxy S6 Active, Galaxy S5, and Galaxy S5 Active. If you fit these criteria, navigate to your phone settings and check for a new system update.

Patching up the patch

According to a report released today by researchers from the data security watchdog Exodus Intelligence, there is a problem with the original patch that was released by Google that could still leave users vulnerable to Stagefright. During their research, Exodus forced a system crash on an Android phone simply by sending an encoded mp4 file using Android’s MMS app.

A spokesperson from Exodus said that “There has been an inordinate amount of attention drawn to the bug,” adding that “We believe we are likely not the only ones to have noticed it is flawed. Others may have malicious intentions.”

Google gets stagefright

Google have confirmed the problem identified by Exodus and have announced a second patch, saying in a statement: “We’ve already sent the fix to our partners to protect users, and Nexus 4/5/6/7/9/10 and Nexus Player will get the OTA update in the September monthly security update”.

Despite their speedy response this time around, Google received hefty criticism due to the length of time they took to respond to the malware and to provide a solution. According to the security firm that discovered the bug, Google was notified about Stagefright way back on 9 April. A staggering 109 days went by before the tech giants even acknowledged the bug publicly. When they finally got around to releasing a statement, Google said that they had released a fix, though critics pointed out that the company could not administer the patch directly to all Android users (only those using Nexus devices), since this would be the job of the phone manufacturers and partners.

In Google’s defence, they have pointed out that mitigation systems on Android devices, such as Address Space Layout Randomization, make it especially difficult for technicians to guarantee that the malware will be ineffectual. What’s more, Google have only had a few days to fix the original patch, instead of the usual 90-day period.

If you’re an Android user and you haven’t had access to an update from your OEM or carrier, the most effective temporary fix is to disable the auto-fetch feature in your MMS settings (this only applies to those using Messages, Hangouts, and other Android messaging apps). For all Android users who have yet to receive a patch, the data security firm Lookout has released an app called “Stagefright Detector,” which identifies whether or not your device is susceptible to a Stagefright attack. For regular updates visit the Android community.

Leave a Comment