Scary Vulnerability: One Text Can Hack 95% of Android Phones

[Ollie]

I'm curious if this could be accomplished via email as well.

 

[WellnessFriends]

Scary indeed. Nowadays, it's kinda difficult to have that sense of security like the good old days. I guess this is the price we had to pay that comes with the advancement of technology

 

[Jonny Kansas]

I'm curious if this could be accomplished via email as well.

From what I read, I believe it said that this is based on how android handles media in MMS messages.

 

[Ollie]

From what I read, I believe it said that this is based on how android handles media in MMS messages.

So does email handle media files differently? You would think they hook into the same framework as the MMS does.

 

[Jonny Kansas]

So does email handle media files differently? You would think they hook into the same framework as the MMS does.

According to Lookout...

Any number of applications can process MMS content and thereby receive exploits, but devices using Google Hangouts for this purpose may be most at risk since a victim may not even need to open the message in Hangouts for an attacker to take control of their device. In all other hypothetical attacks it appears a victim needs to open their default SMS messaging app and the message thread itself for the exploit to work (although the media file does not necessarily need to be played within the app).

Based on Lookout’s own Stagefright research over the last 24 hours it also appears that multimedia viewed in a browser (e.g. a web video) could be used to deliver a Stagefright attack.

Read more: What you need to know about the new Android vulnerability, “Stagefright” (What you need to know about the new Android vulnerability Stagefright Lookout Blog

 

[Dusty]

The memory over flow is a separate exploit released yesterday evening. It isn't StageFright.

Yeah. I was wrong. Oh well. I'm still not disabling anything on my phone.
If I get hijacked before a cure is provided I'll be sure to post my ordeal here!

 

[mountainbikermark]

How are we to know when the problem has been fixed?

Sent from my Verizon Galaxy Note4 using Tapatalk

Textra update I got this morning says it's fixed now on their app

Support Our Troops !!!
<><
Beast Mode 4

 

[Jonny Kansas]

Textra update I got this morning says it's fixed now on their app

Support Our Troops !!!
<><
Beast Mode 4

Bold claim. Wondering what they did to fix it...

The vulnerability is fixed, or they added an option to not auto-retrieve MMS?

 

[mountainbikermark]

Bold claim. Wondering what they did to fix it...

The vulnerability is fixed, or they added an option to not auto-retrieve MMS?

Support Our Troops !!!
<><
Beast Mode 4

 

[Jonny Kansas]

Nice.

 

[Ollie]

I find it suspect that they released the very same feature that I requested a few days ago. It is suspect because they told me that simply turning off auto downloading wasn't enough to protect yourself from StageFright.

And I quote (from my response email):

"P.S In other apps, turning off auto-retrieve is NOT enough as once you tap 'download' the exploit becomes active. Additionally you would not get any MMS pics or group messages. Not a good solution."

Maybe they threw that in their because I mentioned I would have to switch back to Messenger in the mean time?

 

[Jonny Kansas]

I find it suspect that they released the very same feature that I requested a few days ago. It is suspect because they told me that simply turning off auto downloading wasn't enough to protect yourself from StageFright.

And I quote (from my response email):

"P.S In other apps, turning off auto-retrieve is NOT enough as once you tap 'download' the exploit becomes active. Additionally you would not get any MMS pics or group messages. Not a good solution."

Maybe they threw that in their because I mentioned I would have to switch back to Messenger in the mean time?

Well, they're technically right. If you download a message that wasn't downloaded by auto-retrieve and it's got the necessary code/command/whatever for the exploit, you're SOL.

I'm assuming that they've added some code to block whatever the trigger is so that you can still get MMS and group messages without having to worry. If that's truly the case, that's a better fix than turning off Auto-Retrieve.

 

[Ollie]

Well, they're technically right. If you download a message that wasn't downloaded by auto-retrieve and it's got the necessary code/command/whatever for the exploit, you're SOL.

I'm assuming that they've added some code to block whatever the trigger is so that you can still get MMS and group messages without having to worry. If that's truly the case, that's a better fix than turning off Auto-Retrieve.

It looks like they just added a feature that other text apps have. They can't fix the exploit...just hinder the path the exploit needs to take so their update is putting them on par with other apps. I just found it to be funny.

 

[mountainbikermark]

It looks like they just added a feature that other text apps have. They can't fix the exploit...just hinder the path the exploit needs to take so their update is putting them on par with other apps. I just found it to be funny.

I'm fine with that until Google does its part, pushes it to Samsung, who will find a way to add bloat to it and take forever to do so then push it to AT&T who will take forever to do it and find a way to make it use more battery on my phone and add more bloat at the same time before eventually pushing it out.

Support Our Troops !!!
<><
Beast Mode 4

 

[XAlexander_AlexanderX]

The Note 4 on the Sprint Network just updated to fix this vulnerability.

Sent from my SM-N910P using Tapatalk