Page 45 - index
P. 45
With the support of Zimperium and Optiv, Drake conducted this security research, using his “droid
army” – a collection of 51 Android devices. You can learn more about how he conducted his
research in his presentation at the Black Hat conference in Las Vegas.
A fragmented Android world
Android is one of the world’s most popular operating systems and it has a unique story. The rate of
development is incredibly fast, but that development doesn’t come without a price. Since original
equipment manufacturers and carriers are able to adapt the operating system due to its open
source nature, this leads to a number of iterations that have unique update and patching needs –
over 24,000 models currently exist in the Android ecosystem.
The biggest problem with this vulnerability, as Ars Technica writer Ron Amadeo points out, is that
original equipment manufacturers have been able to adapt the Android code to work with their
devices. This creates a dilemma where an unthinkable amount of patches would have to be made
in order to successfully protect the majority of Android phones out there, and no single company,
team, or entity is responsible for getting this issue under control. Because updates will focus on
newer phones, and many patches will be dependent upon a myriad of manufacturers and carriers to
distribute them, it is possible that millions to hundreds of millions of devices will remain vulnerable
indefinitely.
What’s being done?
Google, as well as number of manufacturers and carriers have responded with patches for the
following devices.
Zimperium has also launched its ZHA Alliance to address the issue of communication between
relevant manufacturers and carriers on the issue. As Zimperium so aptly stated, “According to our
understanding of the Android ecosystem, security issues reported to Google are only shared with
active partners”.
Zimperium has also released an app known as the Stagefright Detection app, which can help you
identify if your phone is actually affected by the vulnerability.
So what’s the problem?
You might think that since the patches are rolling out, there shouldn’t be any further problems.
Surely the patches will trickle down to older phones, and Zimperium will help facilitate that
communication between Google, carriers, and manufacturers
Even if that is the case and the majority of phones get patched up, there may be an issue with the
effectiveness of Google’s first patch. Security researcher Jordan Gruskovnjak at Exodus
Intelligence has reported that the initial patch released by Google was inadequate. The Exodus
team was able to craft an MP4 that could bypass the patch. They even claim that Zimperium’s
Stagefright Detection app will green-light your patched phone, even though it’s still vulnerable.
45 Cyber Warnings E-Magazine – October 2015 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
