Page 46 - index
P. 46
Google has responded to the situation, asserting in a statement to The Verge, “We’ve already sent
the fix to our partners to protect users, and Nexus 4/5/6/7/9/10 and Nexus Player will get the OTA
update in the September monthly security update”.
If that wasn’t bad enough, Rob Miller from MWR Labs has found another vulnerability that can
bypass the sandbox mechanism. Originally reported back in March, it seems that Google has yet to
release a relevant patch. Researchers at Trend Micro have claimed to have also found a
vulnerability, this time in Android MediaServer, which they reported to Google back in June (Google
published a fix in early August).
The reality is, even if Google’s next patch is effective it doesn’t address the full story. The
Stagefright media circus simply revealed a can of worms that opened long ago – Android has some
major security flaws, and the broken chain of distributors and manufacturers makes it nearly
impossible to rectify.
What you can do
If you have an Android phone with version 2.2 or higher, it may seem that there isn’t much left in
your control. But we encourage you to do all you can to take security into your own hands.
While it’s true that there are limits to your autonomy in the face of all of the vulnerabilities your
phone could be riddled with, there are several steps you can take to make your experience on
Android safer. Even if you don’t have an Android phone, you can use these tips and apply them to
your own smartphone experience.
Change your settings
It’s important to acknowledge that while Zimperium illustrated an exploit through MMS and that’s
what the media has held onto, this is just an example of how the vulnerability can be exploited, so
disabling auto-retrieval will not necessarily protect you from all possible hacks. Joshua J. Drake
himself said at the Black Hat conference that the Stagefright bug is exposed via multiple attack
vectors.
With that being said, the MMS attack has been receiving a lot of attention, and it’s possible that
cyber criminals are getting ideas. So it’s best to deactivate auto-retrieval as it preloads videos and
messages for you. Here is how to disable the auto-retrieval feature on the most common messaging
applications:
Google Hangout
Open the app and select Settings by tapping the three horizontal lines in the top left corner.
Click the Settings wheel and then select SMS. Uncheck Auto-retrieve MMS.
46 Cyber Warnings E-Magazine – October 2015 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
