18 March 2016

New Exploit To ‘Hack Android Phones Remotely’ Threatens Millions Of Devices

March 17, 2016 ·
www.fortunascorner.com
Swati Khandelwal writes on the March 17, 2016 cyber security website, The Hacker News, that “Millions of Android devices are vulnerable to hackers and intelligence agencies once again — Thanks to a newly disclosed Android Stagefright Exploit. Stagefright exploit allows an attacker to hack Android smartphones in ten seconds — just by tricking users into visiting a hacker’s webpage that contains a malicious multimedia file. The team’s exploit works on Android versions 2.2 to 4.0, and 5.0 to 5.1,” — about 95 percent of all Android phones.
“A group of security researchers from [the] Israel-based research firm Northbit, claimed it had successfully exploited the Stagefright bug that was emerged in Android last year; and described as the worst ever discovered,” Ms. Khandelwal wrote. In addition to successfully hacking the Android, the researchers also used this technique to successfully hack “a Samsung Galaxy S5, LG G3, and HTC One,” The Hacker News warns.
“The new Stagefright exploit, dubbed Metaphor, is detailed in a research paper that guides the bad guy, good guy, as well as government spying agencies to build the Stagefright exploit for themselves.” Ms. Khandelwal added.
What Is The Stagefright Bug And Why Do You Have To Worry About It?

“Stagefright is a multimedia playback library, written in C++, built inside the Android operating system to process, record, and play multimedia files, such as videos,” the publication noted. “However, what Zipmperium researchers discovered last year,” Ms. Khandelwal writes, “was this core Android component can be remotely exploited to hijack 95 percent of Android devices — with just a simple, booby-trapped message, or web page. Another critical vulnerability discovered last October in Stagefright, exploited flaws in MP3 and MP4 files, which when opened were capable of remotely executing malicious code on Android devices, and was dubbed Stagefright 2.0.”
The Hacker News reports that Google has released a security update that patches the critical bug, as well as promised regular security updates for Android smartphones.
How The Stagefright Exploit Works

The first step is something that continues to plague unsuspecting web surfers. The hackers trick an unsuspecting user into visiting a malicious web page — that appears benign, but which contains a Trojan Horse — “a video file that crashes the Android’s mediaserver software to reset its internal state,” Ms. Khandelwal writes. “Once the mediaserver gets a restart, JavaScript on the webpage sends information about the victim’s device over the Internet to the attacker’s server. The attacker’s server then sends a custom generated video file to the affected device, exploiting the Stagefright bug to reveal more information about the device’s internal state. This information is then sent back to the attacker’s server — to craft another video file that embeds a payload of malware in it, which when possessed by Stagefright, starts executing on the victim’s smartphone….with all the privileges it needs to spy on its owner.”
Google has issued patches; but, are these patches sent in the open? If so, doesn’t that allow hackers to conduct a digital autopsy in an effort to compromise the patch? I do not know the answer to that; and, maybe there is no other practical way of conducting digital triage. Once again, Internet uses need to keep their digital antenna’s on high alert at all times when surfing the net; and, with emails from someone they do not recognize. And, for those emails offering discounts from major commercial entities — you are always better served, if you Google the company’s website first — to see if there is such a promotion, and/or contact their customer service to verify that you actually did receive a legitimate email from them. Otherwise, you could fall victim to what appeared to be a legitimate digital coupon — only to find out it is a digital honey trap. V/R, RCP

No comments: