Incomplete Security patch !! Millions are Vulnerable

Wanna hack someone's Android smartphone by sending just an MMS message?

Yes, you can, because Google's patch for the Stagefright vulnerability in hundreds of Millions of Android devices is BUGGY.

Last week, Google issued an official patch for Stagefright vulnerability that affects 95 percent of Android devices running version 2.2 to version 5.1 of the operating system, an estimated 950 Million Android devices in use worldwide. But, the patch is so flawed that hackers can still exploit the Stagefright vulnerability (CVE-2015-3824) anyways.

"The [original] patch is four lines of code and was (presumably) reviewed by Google engineers prior to shipping," researchers at Exodus Intelligence wrote in a blog post published Thursday. "The public at large believes the current patch protects them when it, in fact, does not."

Buggy Patch Issued by Google

 

The patch doesn't fix the vulnerability, allowing booby-trapped MP4 videos that supplied variables with 64-bit lengths to overflow the buffer and crash the smartphone when trying to open that multimedia message. The firm notified Google of the issue on August 7th, two days after their Stagefright presentation at the Black Hat conference, but it didn’t receive any reply from the company regarding their release of an updated fix.

Therefore, the firm released code showing how to crash the smartphone exploiting Stagefright vulnerability because the search giant is still "distributing the faulty patch to Android devices via over-the-air updates." The flawed patch has been assigned the vulnerability identifier CVE-2015-3864, according to the Exodus researchers, but at the moment it is hard to say when a right fix for the loophole will be available.

"Google employs a tremendously large security staff, so much so that many members dedicate time to audit other vendor's software," but if it can't "demonstrate the ability to successfully remedy a disclosed vulnerability affecting their own customers then what hope do the rest of us have?," the Exodus researchers wrote.

When reached out for comment, a Google spokesperson confirmed the findings and said the company had distributed the second patch to its OEM partners, however, its own Nexus 4/5/6/7/9/10 and Nexus Player will receive the patch as a part of its September patch update.

So, in order to get rid of this problem, you need to keep an eye for this new patch to fix the old flawed-patch.

Simple TEXT Message to HACK ANY ANDROID Phone Remotely

Own an Android phone? Beware, Your Android smartphones can be hacked by just a malformed text message.

Security researchers have found that 95% of Android devices running version 2.2 to 5.1 of operating system, which includes Lollipop and KitKat, are vulnerable to a security bug, affecting more than 950 Million Android smartphones and tablets.

Almost all Android smart devices available today are open to attack that could allow hackers to access the vulnerable device without the owners being aware of it, according to Joshua Drake, vice president of platform research and exploitation at security firm Zimperium.

 

 

 The vulnerability actually resides in a core Android component called "Stagefright," a multimedia playback library used by Android to process, record and play multimedia files such as PDFs.

 

A Text Message Received...Your Game is Over

The sad news for most of the Android users is that the fix will not help Millions of Android users that owned older versions of the operating system that Google no longer supports, opening doors for hackers to perform Stagefright attack.

Drake has developed and published a scary exploit that uses a specially crafted text message using the multimedia message (MMS) format.

All a hacker needs is the phone number of the victim’s Android device. The hacker could then sends the malicious message that will surreptitiously execute malicious code on the vulnerable device with no end user action, no indication, nothing required.

"These vulnerabilities are extremely dangerous because they do not require that the victim take any action to be exploited," reads the Zimperium blog post published Monday.

"Unlike spear-phishing, where the victim needs to open a PDF file or a link sent by the attacker, this vulnerability can be triggered while you sleep. Before you wake up, the attacker will remove any signs of the device being compromised, and you will continue your day as usual—with a trojaned phone."

Stagefright: Scary Code in the Heart of Android

The same vulnerability can also be exploited using other attack techniques, such as luring victims to malicious websites.

 

 

 

 

 

Drake will present his full findings, including six additional attack techniques to exploit the vulnerability, at Black Hat security conference in Las Vegas on on August 5 and DEF CON 23 on August 7, where he is scheduled to deliver a talk titled, Stagefright: Scary Code in the Heart of Android.

Almost all Android devices containing Stagefright are in question. According to Drake, all versions of Android devices after and including version 2.2 of the operating system are potentially vulnerable, and it is up to each device manufacturer to patch the devices against Stagefright attack.

 

 

When will I expect a Fix?

Google has patched the code and sent it to device manufacturers, but devices require over-the-air updates from companies such as Samsung or Motorola to update their customers' phones. Given the shaky history of handset manufacturers and carriers rolling out security patches, it is not known how long the companies will take to update vulnerable Android devices against Stagefright attack.

However, Silent Circle has patched the issue in its Blackphone, as has Mozilla, which uses Stagefright code in Firefox OS.