Homeless in Vancouver: Fixing Stagefright, Android’s Heartbleed bug

It’s been four whole months since mobile security company Zimperium notified Google that six loopholes in the Android media handler allowed an attacker to remotely take over 95 percent of Android devices using an MMS text message.

But it’s only in the last seven days that Google’s patch for the so-called Stagefright bug—ready and tested at least a month ago—has begun trickling onto Android phones in the U.S. and Canada, a few models at a time.

On August 3, four days ago, Samsung Galaxy 4 users on the U.S. Sprint network finally received a Stagefright patch. Two days ago (August 5), Sprint announced more over-the-air (OTA) Stagefright-related patches for various Nexus and Galaxy phones. And yesterday AT&T rolled out OTA Stagefright patches for Gallaxy phones on its network.

It was two days ago, on August 5, that Canadian users of the Samsung Galaxy S6 on the Telus, Wind, Bell, Fido, and Rogers networks, finally received a nearly 300MB Stagefright-specific update labeled G920W8VLU2AOG2, according to Mobilesyrup.

So far as I can see, Telus is the only Canadian carrier that has posted a schedule of Stagefright fixes for other Android phones on its network.

Last week though, a moderator on a Rogers customer forum did at least advise customers to disable the auto-playing feature for MMS messages on their Android devices (remember, settings may vary):

1. Go to App Settings
2. Disable ‘Auto-retrieve’ for MMS messages in the Messaging app’s settings.

It’s taken four months to begin patching what Zimperium declared was “the worst Android vulnerability in the mobile OS history” and what other computer security analysts were quick to dub “Heartbleed for mobile” (after the so-called Heartbleed SSL web encryption flaw revealed in April 2014).

Apparently, though, the biggest security hole exposed by Zimperium was not in the way that Android handles media files but the way that it handles and distributes security updates!

What does it mean for Android to suffer from Stagefright?

What Zimperium researcher Joshua Drake found in his lab back in April was that a malicious coder could embed malware as executable code inside video and then send that video to an Android device as an MMS text message.

Zimperium named the package of vulnerabilities after their source: Android’s Stagefright media playback engine.

From Android 2.2 onward, Stagefright’s auto-play routine has the unfortunate consequence of launching embedded malware without any interaction (or awareness of what is happening) on the part of the user.

Zimperium’s Drake has explained that an attacker could exploit the Stagefright flaws to do a number of things, all remotely and all unbeknownst to the owner: write code to the device, steal data from areas the media playback engine has permission to access, record audio and video, look at content stored on SD cards, and hack the Bluetooth connection.

When Zimperium went public in the last week of July, it was to declare that they had uncovered the "Mother of all Android Vulnerabilities", that it impacted 95 percent of all Android devices and that it—“Stagefright”—was much worse than “Heartbleed”, another software bug named, shamed, and domained by the security company (Codenomicon) that discovered it.

There is, as yet, no patch available to fix the problem of hyperbole sweeping through the computer security industry.

No hurry, it only affects 950 million devices!

As it stands, Google, as the creator and maintainer of the Android operating system, is responsible for writing and testing security patches but the only Android devices that it can directly update itself appear to be (maybe) some Nexus phones and tablets.

For a security patch to reach the vast majority of Android devices, Google has to pass it on to handset manufacturers—but not so that Samsung, HTC, et cetera, can deliver the patch directly to devices but so that they can further test the patch against their hardware.

Then the handset manufacturers pass the patch to the mobile carriers (Sprint, AT&T, Rogers, et cetera), which will actually distribute the software patch over-the-air (OTA) to subscribers (but only after they’ve tested it too).

Android updates trickle out carrier by carrier because Google doesn’t have total control of its operating system; the other stakeholders are free to modify Android as they see fit. But Apple cedes no control of iOS to carriers or anyone else; updates for the iPhone and iPad are available everywhere when they’re released.

Just imagine for a moment, what it would be like if every security patch for Windows had to go through the same circuitous route as an Android patch. Thank goodness that Microsoft has total control of Windows—at least on the desktop side.

Just like Android, Windows Phone updates have to be vetted and distributed by the carriers.

Having suffered a fright, Google and Samsung promise to do better

Somewhat shamed by their total inability to deal quicker than a slow shuffle with what is arguably a serious security issue affecting hundreds of millions of people, Google and Samsung are separately promising to institute regular monthly OTA security updates.

Google’s monthly updates, which it says began August 5, apply to select Nexus devices (the Nexus 4 to 7, the 9 and 10 as well as the Nexus Player) for no more than three years.

Samsung’s vague announcement of updates “about once per month” refers to “collaboration with carriers and partners”, suggesting that it will still be the carriers pushing the updates but perhaps with a greater sense of urgency than is presently the case.

In case you’re curious about the vulnerability of your Android device, good ol’ Zimperium has created a free Stagefright Detector app, which checks for all six vulnerabilities and reports the results.