This isn’t good. Michael Mimoso, for Kapersky’s ThreatPost:
Researcher Joshua Drake, vice president of platform research and exploitation at Zimperium zLabs, said exploits could be particularly insidious given the fact that an attacker need only use a malicious MMS message that could trigger the vulnerability without user interaction, and delete the message before the victim is aware. All an attacker would need, Drake said, is the device’s phone number.
An attacker in possession of their target’s phone number could send an MMS or even a Google Hangouts message to an affected device that triggers the vulnerability before the victim has a chance to open the message. In some cases, the attack would delete the MMS in question, leaving behind only a notification that a message was sent. Drake said the processing carried out by Stagefright is a bad design and implementation choice, and that once he dug in and did additional fuzzing and learned more context from prior work, he said he uncovered close to a dozen issues, with half of those being critical remote code execution vulnerabilities; the others were less serious and did not have RCE implications.
That’s pretty scary: merely receiving a malicious MMS will likely trigger the attack which, if executed correctly, can run remote code, all with zero user interaction. But, while Google has patched this, it faces the same problem as any other software update for Android: the companies that make the phones have practically no financial incentive to update their devices. As far as they’re concerned, their job is done. NPR, for example, spoke with HTC:
Google informed HTC of the issue and provided the necessary patches, which HTC began rolling into projects in early July. All projects going forward contain the required fix.
“All projects going forward”? I know HTC doesn’t sell a lot of phones so, by the numbers, their user base does not even a reasonable minority of those affected, but come on. That’s a weak response. I’m hoping that other major manufacturers will do the right thing instead of worrying purely about their bottom line.