In recent weeks at least two potentially frightening new exploits have been discovered that could threaten an estimated 95% of the one billion devices running the Android operating system. The good news is that as of this writing, there have been no documented attacks on Android devices that take advantage of these two security vulnerabilities. The bad news is that now that information on these security vulnerabilities has been widely published as well as presented at the recent Black Hat hackers’ and security convention in Las Vegas, it may only be a matter of time until some bad guys start to take advantage of these security vulnerabilities. Google, the progenitor of Android, was promptly made aware of the vulnerabilities as soon as they were uncovered, and has produced patches and fixes for many of the Android devices that have these vulnerabilities. The problems is that with the exception of a few models of Nexus smart phones supported directly by Google, it is up to the phone manufacturers or the cell phone carriers to release the upgrades and patches to close these vulnerabilities. At present, none of the major third party security software publishers provide any protection from these exploits, leaving many of us vulnerable to these exploits.
One of these newly discovered Android vulnerabilities was given the moniker “Stagefright” by its finder, Joshua Drake, vice president of platform research and exploitation at Zimperium. Drake first reported on the Stagefright vulnerability in April, disclosing his findings to Google, which quickly developed and provided security patches to its Android partners. Most of these Google partners who have not yet provided the patches to their respective customers may not do so for months, if they provide them at all; many phone manufacturers and carriers have explicitly stopped supporting and patching older Android phones, which are still in use by the millions. In several media interviews, as well as his Black Hat presentation, Drake explained that, “All devices should be assumed to be vulnerable.” As stated in a recent (July 27) Forbes magazine interview, Drake said that he believes that as many as 950 million of the one billion Android phones currently in use may be vulnerable to the Stagefright vulnerability. Drake went on to say that only older Android phones running versions of Android below version 2.2 will not be potentially affected by this bug.
It is important for Android users to understand that Stagefright is not a virus or other form of malware that could infect a phone, but is instead a bug, or unexpected and unforeseen security vulnerability in the Android software itself. This vulnerability is in the heart of the Android software that processes, plays, and records multimedia files.
According to Drake, the security vulnerability may allow a hacker to illicitly access by simply sending an MMS message (text message) or multimedia file to the targeted device. What is especially nefarious about the Stagefright vulnerability is that it can be taken advantage of by a hacker without any action by the user; the victim does not have to open or click on anything in order for the hacker to access his device. It is also theoretically possible for a hacker to capitalize on this vulnerability when an unsuspecting victim opens a purloined video file on a website. Once a hacker has taken advantage of this security gap in Android, he can access the victim’s camera, microphone, and any data or images in the device’s external storage. On some devices the hacker can also gain root access to the inner workings of the device.
In order to easily determine if a particular Android device is vulnerable to the Stagefright vulnerability, Zimperium has released a free “Stagefright Detector App”, which is available from the Google Play Store (play.google.com/store/apps/details?id=com.zimperium.stagefrightdetector). A similar detector utility was just released by the security software company Lookout, which it simply calls “Stagefright Detector”. While these utilities will detect the vulnerability, it will still require a patch or other fix from the phone maker or the cell phone carrier which is supporting and updating the device. In full disclosure, when I first read of this Stagefright vulnerability and the availability of the detector, I downloaded and installed the detector. My year old Huawei Ascend Mate 2 phone, which had previously been upgraded by Huawei to Android Lollipop 5.1 (from 4.4), had the Stagefright vulnerability; coincidentally, just yesterday (the day before typing this column), I received a patch from Huawei which among other benefits, closed the Stagefright vulnerability on my phone. I reran the Stagefright detector from Zimperium to confirm the fix, and the vulnerability on my phone has definitely been patched by the recent update.
Another Android security vulnerability was disclosed at the recent Black Hat security convention. A well known security company, Check Mate, disclosed this newly recognized bug, which it named “Certifi-Gate”, which may potentially allow a hacker to take control of a victim’s phone by utilizing the “Remote Support Tools (RSTs)” software that was installed on the phones by the manufacturers, often at the behest of the cell phone carriers selling those particular phones. Check mate promptly notified the device makers and cell phone companies of the vulnerability.
According to Check Mate, there are millions of phones and tablets made by Samsung, ZTE, HTC, LG, other manufacturers which have incorporated this vulnerable “remote support” function software on their phones; according to Google, Nexus phones do not have this particular vulnerability. Using a security method known as digital certificates, which allows specifically authorized apps to have special access to the phone or tablet, only those authorized personnel could access these support apps in order to be able to provide the remote support capabilities. The problem now is that hackers can spoof or counterfeit these supposedly secure digital certificates, allowing them the same access to the internals and functions of the phone that had previously only been allowed to legitimate support personnel. Once the hacker has tricked the phone or tablet into accepting his spurious digital security certificates, he now has direct access to personal information stored on the phone, contacts, calendars, emails, text messages, and can turn on the microphone to remotely record conversations, track the location of the device and its user, and otherwise threaten the security and privacy of the victim.
While the device manufacturers and cell phone carriers were promptly notified of the vulnerability, it may be months, if ever, before they push the patches to this newly discovered vulnerability. Users can download a free utility which will show the user if his device is vulnerable to this remote support vulnerability. Written by Check Mate, the utility “Certifi-Gate Scanner” can be downloaded directly from the Google play store at play.google.com/store/apps/details?id=com.checkpoint.capsulescanner.
ccording to Check Mate, in order for hackers to take advantage of this vulnerability, the user must first download and install an application which contains the code which gives the hacker the access that he wants. The Google Play Store continuously monitors the apps which it makes available, checking them to make sure that they do not contain any malware. Check Mate advises, “We strongly encourage users to install applications from a trusted source, such as Google Play”.
With the continual battles among users who seem to love arguing iOS and iPhones versus Android devices, iPhone users should not gloat over these Android vulnerabilities. At the Black Hat convention in 2013, which is where many hackers and crackers rub shoulders with security experts, the vulnerabilities of iOS devices, specifically iPhones, was discussed. In one of the presentations, despite the false but widely held belief that iPhones are immune to attack and are very secure by nature, researchers from the Georgia Institute of Technology were able to inject persistent, undetectable malware into iPhones, iPads, and other iOS devices using the latest generation of the iOS operating system. Using a modified USB charger, nicknamed “Mactans”, after a type of Black Widow spider, the researchers were able to compromise any current generation Apple device in under a minute. These researchers first found this iOS vulnerability in 2013, and notified Apple of its existence, but there is some question that Apple still may have not yet fully patched this security vulnerability.
Check your smart phone for these vulnerabilities, and do not download apps from any source other than reputable sources such as the Google Play Store or the Amazon App Store. Do not open any text messages from people that you do not recognize, although text messages can be spoofed just as emails are frequently spoofed. If you find that your device maker or phone carrier is providing a patch, update, or upgrade, strongly consider taking advantage of the offer and update your device immediately.