[email protected] +603-2181 3666
Malware by Text – Android Users Vulnerable
August 3, 2015
0

A security researcher has found that Android phones can be easily hacked by a text file.   A specially crafted multimedia message (MMS) can do the job. This would leave a vast majority of Android users are at risk. All the attacker would need is the victim’s mobile number.

The exploit has been called Stagefright, a core Android component, with multiple vulnerabilities. This component is used to process, play and record multimedia files.

stagefright

 

This is by far the most serious Android vulnerability discovered. The user doesn’t have to do anything to get infected, and the attacker doesn’t have to be in close proximity to the victim.

In the prototype that a researcher put together, the only indication that there was something wrong is an MMS notification from an unknown user.  The message itself could be anything. Another factor is that the vulnerable code is executed before the notification occurs. The implication of this is that an attacker might be able to eliminate the message so that there’s no trace of the attack.

A good example would be that the attacker could send a malicious MMS when the victim is sleeping and the phone is in silent mode. The exploitation message can be deleted, and the victim wouldn’t be any the wiser that his phone has been hacked, thus leaving the victim a trojaned phone.

It cannot be ascertained how many applications rely on Stagefright, but in all probability just about any app that handles media files on an Android uses the component in one way or another.

Some experts are calling it “Heartbleed (see Definition) for mobile.” The issues in Stagefright code critically expose 95% of Android devices, which is estimated to be around 950 million users.

Android and derivative devices after and including version 2.2 are vulnerable. About 11% of devices which are running Android version prior to Jelly Bean, are at worse risk due to inadequate exploit mitigations. After the problem was reported to Google, the company applied patches, but full fixes require all devices to have over-the-air firmware (see Definition) update. This involves a many parties and will therefore take time, and some may never get around to it.

This is because the rest of the Android ecosystem – the handset manufacturer and wireless carriers, for example – may take weeks or longer.

The good news is that Satgefright vulnerabilities do not grant attackers to the victim’s entire Android device, but only to their media files. Though this vulnerability could be a threat to an individual, but will is it something that is a greater concern to the enterprise?

“We are seeing a lot of attacks. This is the most silent threat to the enterprise out there, empowering attackers to essentially spy on anyone from executives to prime ministers and celebrities,” says the CTO of Zimperium zLabs, which discovered the vulnerability.

 

 

Recommendation

1.  Update your phone to the latest software.

2.  Shut down your phones before going into sensitive meetings.

3.  Turn off auto-download of MMS messages feature, and avoid opening MMS messages from unfamiliar senders.

 

Definition

1.  Heartbleed – is not a virus, but rather a mistake written into Open SSL – a security standard encrypting communication between users and servers provided by a majority of online services. This vulnerability allowed hackers to extract data from massive databases containing user names, private data, etc. It was first reported in April 2014.

2.  Firmware – is a software program or a set of instructions programmed on a hardware device. It provides necessary instructions for how the device communicates with other parts of the hardware. It is typically stored in the flash ROM of a hardware device. While ROM is “read-only-memory,” flash ROM can be erased and rewritten.

 

Source

1.  CSO online.

2.  Info Security.

3.  Dark reading.

4.  i4u.com (image, Stagefright)

 

The Week That Was

1.  Nasional Security Agency (NSA) to destroy bulk collection of surveillance data.  As a result of the federal law passed in June ending the NSA’s collection of U.S Citizen’s Telephone records, NSA will restrict access to, and ultimately destroy millions US phone records.

2.  Car Hacking is now a reality. The next time you are behind the wheel of a car, make sure that you are in control of the car. Hackers have been reported to be able to break into hundreds of thousands of vehicles on the road. Two researchers recently demonstrated their abilities to control a Jeep Cherokee remotely from miles away by exploiting the cars entertainment system by way of the mobile data network.

3.  Advanced Android hacking tool leaked online. Security researchers delving deeper into the Hacking Team data dump have found more source code, including an advanced Android Hacking Tool. This tool has the capability of infecting millions of Android devices even when users are running the latest versions of the Android operating systems. The RCSAndroid (Remote Control System Android has been describe as one of the most professionally developed and sophisticated pieces of Android malware.

4.  New Android vulnerability can crash phones. Android is having bad week. Trend Micro has reported of a new vulnerability that could ultimately crash more than 55 percent of Android phones, which could make them completely unresponsive and useless to perform very basic functions, including making or receiving calls. This security flaw affects any device running Android 4.3 Jelly Bean and later, including the latest Android 5.1.1 Lollipop.

5.  $10 Device can clone RFID-equipped access cards. If you are using Radio-Frequency Identification (RFID) cards, to manage your building access and security, it can be hacked. Thanks, should I say, no thanks to a tiny $10 device developed by two security researchers to circumvent these RIFID cards. The device, dubbed BLEkey or Bluetooth Low Energy device is designed to be embedded in RFID card reader. The device was created to create awareness and to show that the Wiegand communication protocol, used by the majority of card readers to day, is outdated.