Android vulnerability allows hackers to install malware through MMS

Tech Worm ^ | 8/17/15 | Vijay

[ThunderSleeps]

Stagefright vulnerability in Google’s Android operating system has been in headlines recently due to the fact that a large number of (1 billion+) smartphones are vulnerable to this attack. Since Zimperium discovered the the 6 Stagefright vulnerabilities related to Mediaserver in Android devices, Trend Microlabs has found another vulnerability called Silent Attack which can render Android smartphones to go silent or in a reboot loop after a hacker sends a specially crafted multimedia text.

[ThunderSleeps]

The good news is, in order for this attack to work you have to be convinced to install a specially crafted app.

Doesn't sound like much of a vulnerability to me. Heck, if I can convince you to install my app, sure I can own you - with or without a MMS attack.

[ThunderSleeps]

Vulnerability found in MMS — ANDROID PING!
Android Ping! If you want on or off the Android Ping List, Freepmail me.

[for-q-clinton]

This doesn’t make sense to me:

“For an attack to begin, attackers convince the victim to install an app that doesn’t require any required permissions, giving them a false sense of security.”

If I can convince you to run my program...well duh...

[dila813]

Weak Exploit with a big effect ping

[kingu]

Install an app from a 3rd party - so you've got to turn on third party apps, then you have to approve installing another app after getting the MMS message.. Reminds me of the Lightning port attacks on Apple - a whole lot of ifs (though I guess easier on Apple since you can set up a ‘recharging station’ in a public place and people will happily plug into the offered cables.)

[kingu]

And of course, if you’ve got a Nexus phone, you’ve already been updated for these vulnerabilities (so long as you installed the update that was pushed out.)

[Swordmaker]

Install an app from a 3rd party - so you've got to turn on third party apps, then you have to approve installing another app after getting the MMS message.. Reminds me of the Lightning port attacks on Apple - a whole lot of ifs (though I guess easier on Apple since you can set up a ‘recharging station’ in a public place and people will happily plug into the offered cables.)

No, because the attack you are speaking of is not for iOS. . . it was Thunderstrike 1 & 2 and affected Apple Mac OS X through the Thunderbolt device data port, not iOS iPhones/iPads through the Lightning power port.

Plugging in an iOS device with a Lightning power connection can perhaps be an attack venue if you were to connect to a computer device, but the system has to handshake with an already known computer device and then requires the user's AppleID to do so.

Some self-described "security researcher" claimed he had found undocumented, hidden and nefarious, built-in backdoors in iOS devices about a year ago. He was quickly and roundly slapped down by the developer community when they got a look at his so-called "hidden back-doors" and it turned out they were very well known documented AND secure, Apple iOS System libraries used for backing up iOS devices to iTunes and iCloud. . . just off-limits for developers and available only for specific permission system apps, which developers are not permitted to use.

[kingu]

Thank you for the detailed correction.