
Major Flaw in Android Phones Would Let Hackers in with Just a Text - dynofuz
http://www.npr.org/sections/alltechconsidered/2015/07/27/426613020/major-flaw-in-android-phones-would-let-hackers-in-with-just-a-text
======
jimrandomh
Summary: MMS messages can cause Android phones to decode video with
libstagefright, which is a C++ library with vulnerabilities and insufficient
sandboxing, leading to remote code execution without user interaction.

You can partially mitigate the risk by disabling auto-downloading of MMS
messages in whichever app you have set to handle text messages, such as
Messaging or Hangouts. THIS IS URGENT. While the precise details of the flaw
have not been publicly disclosed, this disclosure is sufficient for a skilled
person to rediscover the flaw, which means that there is a considerable risk
that someone will systematically use it on all the phone numbers.

~~~
13
It's likely too late for panic, everyone is probably owned already. It has the
best infection vector ever, unauthenticated, unsolicited messaging with an
easily discoverable addressing method. What more could a worm want?

~~~
ksenzee
Wouldn't you know if you'd received a sketchy MMS from a number you didn't
recognize?

~~~
ChrisAntaki
Not if the attacker deletes the message post-pwnage.

~~~
Florin_Andrei
But wouldn't there be a trail of notifications, or something?

~~~
13
If malware has root access it can alter everything on the phone without you
ever seeing it. Any information falsified, all detection tools subverted.

------
cosarara97
Google might have to rethink Android's updating strategy, if vulnerabilities
like this keep coming out. Of course it would be nice to never have to update
some devices, but it's not viable if they are: a) As complex as an Android
phone and b) Connected to the internet/phone network.

~~~
shkkmo
It's pretty absurd that Google can't require it's partners to push out updates
to critical security flaws like this.

It's also pretty absurd that Google doesn't support security fixes in a 3 year
old operating system (Jellybean).

If the NSA and other three letter agencies aren't using the exploit now, I bet
they will have an implementation live within a week.

~~~
bitmapbrother
I completely agree. They can force their OEM's to follow rules regarding the
installation of Google Play services and apps yet they cannot seem to force
them to update their software. Every OEM that wants Google Play services and
apps should be required to supply OS and critical security updates to their
phones for at least 3 years.

~~~
BillinghamJ
imo, should be aiming for more like 5 years. Apple's set that benchmark with
still supporting iPhone 4s, iPad Mini, etc.

------
guelo
> Drake speculates that Stagefright has its excessive permissions and Internet
> access to satisfy some types of digital rights management processing or
> streaming playback.

Goddamn you Hollywood.

~~~
Jehops
I don't see any mention of Stagefright in the article.

~~~
guelo
Looks like the moderators switched out the article. It used to point to this
one [https://threatpost.com/android-stagefright-flaws-
put-950-mil...](https://threatpost.com/android-stagefright-flaws-
put-950-million-devices-at-risk/113960)

~~~
acqq
"The problem is that Stagefright is an over-privileged application with system
access on some devices, which enables privileges similar to apps with _root
access._ Stagefright is used to process a number of common media formats, and
it’s implemented in native C++ code, making it simpler to exploit

This is huge.

------
bitmapbrother
These look to be the flaws:

[http://review.cyanogenmod.org/#/c/103276/](http://review.cyanogenmod.org/#/c/103276/)

[http://review.cyanogenmod.org/#/c/103275/](http://review.cyanogenmod.org/#/c/103275/)

[http://review.cyanogenmod.org/#/c/103274/](http://review.cyanogenmod.org/#/c/103274/)

[http://review.cyanogenmod.org/#/c/103273/](http://review.cyanogenmod.org/#/c/103273/)

[http://review.cyanogenmod.org/#/c/103272/](http://review.cyanogenmod.org/#/c/103272/)

~~~
dennisgorelik
Is it normal to have 2000+ lines class?

Looks like an instant code smell to me.

~~~
artichokeheart
I've seen 10000+ line classes in the corporate world

~~~
dennisgorelik
I've seen longer classes in the corporate world too. Such code was always
buggy and hard to maintain.

------
leephillips
Can I configure my phone to reject text messages with attached video? I'm
thinking that would protect me from this exploit, plus, as a bonus, I wouldn't
get text messages with attached video.

EDIT: I appreciate the replies. I was really wondering if I can disable video
attachments without disabling other MMS features such as pictures and long
messages (in Android 4.3).

~~~
irremediable
I'm pretty sure you can just turn off MMS retrieval, yeah -- either in your
messaging app or the phone's network settings.

The only problem is that many phones automatically turn long SMS messages into
a single MMS message. As I understand it, you might not receive those --
although I'm not sure about this.

------
pwnna
I see a series of patches going on CyanogenMod (5 on 12.1 and only 3 on 12.0).
Are there any more?

1\.
[http://review.cyanogenmod.org/#/c/103267/](http://review.cyanogenmod.org/#/c/103267/)

2\.
[http://review.cyanogenmod.org/#/c/103268/](http://review.cyanogenmod.org/#/c/103268/)

3\.
[http://review.cyanogenmod.org/#/c/103269/](http://review.cyanogenmod.org/#/c/103269/)

4\.
[http://review.cyanogenmod.org/#/c/103270/](http://review.cyanogenmod.org/#/c/103270/)

5\.
[http://review.cyanogenmod.org/#/c/103266/](http://review.cyanogenmod.org/#/c/103266/)

~~~
0x214655434B21
Looks like all of jduck's commits are fixes for libstagefright.

[https://github.com/CyanogenMod/android_frameworks_av/commits...](https://github.com/CyanogenMod/android_frameworks_av/commits/cm-12.0?author=jduck)

------
guelo
If a two year old phone doesn't get security patches is that enough for
massive class action lawsuits? It's a defective product.

~~~
stormcrowsx
With most manufacturers you do good to get updates after 6 months. I'd like to
see a class action on it but have no idea of its feasibility.

~~~
pasbesoin
A bit over a year ago, I bought the first generation Moto X from... well,
Verizon "sold" me the phone, but it shipped directly from Motorola, then owned
by Google. For reasons I'll mostly skip (signal/reception), I needed to stay
with Verizon.

I bought the Moto X largely on the... assurance ("promise"?) that this
particular phone, coming from a Google-owned Motorola, would actually be
updated expeditiously by not just the manufacturer but also, downstream,
Verizon.

Well, about a month ago my still 4.4.4 phone received an update. FINALLY. Then
I looked at the version information; still at 4.4.4 .

I tell you, Google, I'm about done with your mobile products. Not that I hate
dealing with them, with Android, but the U.S. (and elsewhere?) ecosphere for
them simply sucks.

At least I am at 4.4.4 . Were I at 4.4.3, the last I read I would be subject
to a web component vulnerability that Google has refused to fix below 4.4.4 .
I suspect there are a lot of phones and tablets stuck at 4.4.3 or below. In
fact, my parents have one, a Samsung tablet sold to the by... VERIZON, about a
year and a half ago. (And they didn't buy at the cheap/old end of Verizon's
tablet offerings.)

I am DONE with this bullshit. Meanwhile, Apple seems to have added some
efficiencies to iOS that now allow a 4s phone (not sure about 4) to work
reasonably well.

I was staying away from Apple's rather closed ecosphere and attitude. I am
seriously reconsidering, at this point. I need my primary phone to fucking
work and be reliable. I'll keep the more experimental stuff to other
platforms.

~~~
nostrademons
My first-gen Moto X got the 5.1 update about a month ago. Late, but better
late than never. Supposedly the rest of the 1st gen Moto X's are getting them
"pending carrier support" over the next month or so. Motorola has a website
where you can see whether (and supposedly when) your phone will get an
upgrade:

[https://motorola-global-portal.custhelp.com/app/software-
upg...](https://motorola-global-portal.custhelp.com/app/software-upgrade-
news/g_id/1949?linkId=10217927)

~~~
pasbesoin
Thank you.

Verizon has long been a bastard with regard to releasing updates. However,
travel takes me where they are the only thing that works (other than a local
carrier that makes no sense back at home). They also tend to have better
coverage here at home.

BUT, they told me that one of the selling points of this model on Verizon was
that they were committing to releasing updates in a timely manner.

My fault for believing Verizon. But... Google's fault for not pressuring them.
iPhones on Verizon get updates. This becomes "simple math", for the user on
Verizon. And, Verizon has _a lot_ of users, here in the U.S.

P.S. Even if Google is not in a position to effectively do anything about
this, they should recognize the pressure this applies to users to switch
platforms. Something I would imagine they ARE interested in.

~~~
ingenium
This is exactly why I won't buy anything except Nexus phones now. The updates
are completely independent from the carrier (well, carriers can withhold OTA
updates, but you can always flash the current system image from Google).

~~~
pasbesoin
I'm completely happy with my Nexus 7 2013 (WiFi only).

I may look into jailbreak/rooting options that are compatible with ongoing
Verizon service, for the phone.

In future, if I don't switch to an iPhone, I may well go with another carrier,
and just eat the cost of e.g. a prepaid Moto G for the times when I travel and
need the network covereage. Still, seems ridiculous. And if not Google, the
FCC should be taking a good, hard look at Verizon Wireless. At some point,
negligence should apply that, if nothing else, gets their spectrum allocations
revoked. That would get their attention, fast.

P.S. Maybe a Google lobbyist and/or lawyer could have a quiet little
conversation with their FCC contacts about this?

~~~
lanaius
On the flip side, I'm not very happy with my Nexus 7 2013 (LTE, although I
never have used it). As a disclaimer I am on CM since 12.0, but even before
then there were a number of issues. Tablet would stop recognizing touch or it
would inconsistently recognize it; core apps would start to randomly FC;
YouTube in particular has an issue where it often would say (and this
continued into CM) that there was no Network and you've to press retry 3 or 4
times and then things would work. Hangouts in both regular and CM versions of
Lollipop consistently has a bug where switching apps then switching back to
Hangouts takes you to a random location in the conversation requiring
scrolling back to the bottom frequently. This is an annoying one because
there's no way to clear the screen that I've found, you can either delete the
entire chat history or you can archive, but the archive is "restored" to the
chat window when you begin talking to that person again.

And I apologize, after that rant I realize it doesn't really have anything to
do with the topic, but I've sunk the cost already!

~~~
pasbesoin
To be fair, my Nexus mostly does streaming video and some light emailing and
surfing, these days. The display is small but high quality. Netflix keeps
prompting me to sign in again, but that seems to be Netflix.

There were some hiccups with the upgrades to 5.x, but I didn't get caught by
those. News reports taught me to be a bit conservative, in exercising a bit of
delay before applying OS updates if there was no looming security fiasco.

Compared to my parents' contemporary and more expensive Samsung tablet, with
Verizon LTE (and thus, Verizon as well as Samsung in the middle), that is
still stuck on 4.4.1 or 4.4.2, the last I looked... And with some crappy third
party calendar app as the default that had my mother confused for a while...

Well, via that comparison and others, I'm agreeing with the other commenter
that if you can go straight Nexus, that seems to be a better way to go WRT the
Android platform.

I'm hitting "tired"; otherwise, I might be able to think of some of the
software concerns I've had that are not OS / updates specific.

Oh, I remember the time I added some photos to Keep, to learn that there was
no way to keep them from syncing while on the cell connection as opposed to
WiFi.

And, I could lament the whole "fish around on the web for random articles, for
your documentation" approach, these days.

Anyway, I'm mostly responding to show a bit of support, despite our differing
satisfaction levels / experiences. When something doesn't work, too often the
environment/app leaves us feeling SOL. They got my money, so f--- me! ;-)

------
Animats
From the article: _" The messaging app Hangouts instantly processes videos, to
keep them ready in the phone's gallery."_

Do you have to have the "Hangouts" app installed for this security
vulnerability?

Google doesn't seem to have learned from Microsoft's decade of "autorun"
problems.

 _It has been (0) days since the last C language buffer overflow
vulnerability._

~~~
McGlockenshire
> Do you have to have the "Hangouts" app installed for this security
> vulnerability?

No. The flaw is present in the extraction of the image data from the MMS
message. Anything that uses the system standard way of doing this, including
but not limited to Hangouts, will be vulnerable.

Hangouts retrieves MMS messages by default. This can be disabled under
Settings => SMS. Turning this off disables the automatic processing and thus
the passive exploit, but opening an MMS message containing the exploit can
still be done by hand.

------
Abundnce10
For TextSecure users, will this be an issue? Usually I'm prompted before I
download a image/video. Do you think I'm okay using TextSecure?

~~~
pasbesoin
I was just looking at the settings the other day. Per other comments in this
topic, I'd look at disabling the MMS features; IIRC TextSecure also has user
settings for this.

Edit: Just had a look. I do not have TextSecure as my default client. There is
MMS configuration information, but not a simple "disable automatic retrieval"
or similar setting, as there is in my default SMS/MMS client. I don't know
whether one appears when TextSecure is the default client; I suspect not, and
maybe this should be addressed?

~~~
simoncion
It turns out that media attached to an MMS message is not decoded until you
actually _open_ the attachment. See:
[https://github.com/WhisperSystems/TextSecure/issues/3817](https://github.com/WhisperSystems/TextSecure/issues/3817)

~~~
pasbesoin
Thanks, moxie (he's on HN).

Maybe I will make TextSecure my default app. I'll give "the hype" a day or two
to start sorting itself, while I have the "auto" stuff disabled in my current
default app.

~~~
simoncion
As an additional datapoint:

In my -and my lady friend's- experience, TextSecure is the the only app to
correctly handle MMS group chat. We tried the stock Android app, the stock
Samsung app, and Hangouts. They all failed to do the right thing in one way or
the other.

------
mschuster91
Why can't Google force vendors and carriers in the Play license terms to open
source their kernel and flashing technology so XDA and friends can take care
of updates?

That would be the cheapest solution.

edit: added benefit, everyone is free to load on his device whatever he
chooses. Google should have gone that path way earlier.

~~~
Johnie
This overestimates the negotiating position of Google and underestimates the
negotiating position of the manufacturers and carriers.

In the US, the business model for mobile phones is that carriers buy phones
from the manufacturer and sell it to the end consumer. The carriers have
ultimate influence on what they purchase which affects what the manufacturers
produce. You, the end consumer, is a consumer of carriers rather than phone
manufacturers.

~~~
mschuster91
Well, no Google Android, no phones - Google has a massive stronghold on the
market, every consumer wants the latest and greatest phone.

Their stronghold is even enough to prevent ODMs (!) from building non-Play-
licensed phones - either you only ship non-play-licensed phones or you ship
only licensed ones. No in-between.

~~~
johncolanduoni
> Well, no Google Android, no phones - Google has a massive stronghold on the
> market, every consumer wants the latest and greatest phone.

It isn't that simple. Although creating a successful smartphone platform from
scratch would be very difficult, if enough manufacturers got tired of the
terms they might band together are create an app store to rival Play while
maintaining Android compatibility. In this case, app developers would only
need to change code for in-app purchases, licensing, etc. so a large enough
group of manufacturers could draw a significant number of apps to the new
store.

------
biggerfisch
Hangouts has an option under "SMS" to disable automatic retrieval of MMS
messages. Can anyone confirm if this at least stops the instant loading of
malware?

~~~
pd1
+1, this is all I have done

------
pja
The real problem here is that video messages expose a huge attack surface to
bad actors, very little of which has been security audited.

Automatically parsing videos before the user even chooses to interact with
them makes it even worse - although I suspect most people would play a video
sent to them over MMS even if it came from an unknown contact.

~~~
nsgi
Even if it does come from a known contact, they could have a worm.

------
stevenh
Now would be a good time for Apple to spread word of this disaster far and
wide and to offer a free iPhone to anyone who brings in an Android phone for
recycling.

~~~
aikah
> Now would be a good time for Apple to spread word of this disaster far and
> wide and to offer a free iPhone to anyone who brings in an Android phone for
> recycling.

an opportunity for Microsoft too.

Clearly this plus the web-view exploit fiasco will damage the android plate-
form for the long run.

Hundreds of millions of devices are affected by this exploit and most of them
will never be patched. I'm sorry to say but i'll have to pressure my IT
department to ban android devices, period. The problem isn't the MMS tech, the
problem is android's lousy security model. And the fact that Google think it
can wash its hands off all this and shift the blame on manufacturers...
outrageous.

While some manufacturers actually opensource their android 'implementation'
(like Alcatel, you can actually download some source code for a specific
device and patch it yourself) , most don't even bother doing that.

This stuff is a disaster.

~~~
ocdtrekkie
Absolutely true. It's very clear a platform that can't ensure security fixes
in a timely manner doesn't belong in the hands of anyone who handles private
data. "Android for Work" isn't much of an option for anyone who values
security.

------
mikegerwitz
There's hype, but is there any actual information about the vulnerability
anywhere? Best I was able to find was this:

    
    
      http://blog.zimperium.com/the-biggest-splash-at-blackhat-and-defcon-2015/
    

Even a CVE?

~~~
shawn-butler
Referenced CVE-2015-1538, CVE-2015-1539, CVE-2015-3824, CVE-2015-3826,
CVE-2015-3827, CVE-2015-3828, CVE-2015-3829 issues seem to still be in
reserved status.

~~~
hakam
[https://www.facebook.com/hakam.naser.al.deen](https://www.facebook.com/hakam.naser.al.deen)

------
forcer
I guess simplest fix for the user is to disable MMS? I don't think its that
popular feature anyway?

~~~
pja
Can you actually disable MMS on Android phones? You can stop the default
messaging app from automatically downloading them on my phpne, but I can’t
find a way to completely disable them.

~~~
nly
Is removing the MMS options under the APN enough to do this?

~~~
shkkmo
That's a good question. Presumably if your phone doesn't have network access
for MMS it can't download the message in the first place?

------
dimino
Is there a CVE? I'm not sure I understand, and this article only serves to
confuse. Consider this line, at the beginning:

> In this attack, the target would not need to goof up — open an attachment or
> download a file that's corrupt.

Is this line simply erroneous?

------
ck2
and tens of millions of phones will never be patched

this is a nightmare bug that will haunt android forever

I can already imagine many celebrities getting hacked through it

~~~
13
Why target people specifically? A phone has all the tools necessary to infect
every other peer they can reach. Almost instant billion device botnet, each
with a new list of targets to infect in the contacts book. It'll be
interesting if this does happen, and the same mistakes as early worms are made
(global internet pipe denial of service by probes attempting to find new hosts
to infect).

~~~
ck2
Whoa, never thought of that, but blackhats certainly will.

If they get one celebrity, they could get all their friends.

I predict a second one of these
[https://wikipedia.org/wiki/2014_celebrity_photo_hack](https://wikipedia.org/wiki/2014_celebrity_photo_hack)

Ironically this time iphone users will be protected.

~~~
13
Probably has engineering challenges past what you would normally face, which
thankfully makes a 1B device botnet a little unrealistic. I can't imagine how
you'd even begin to control such a thing, just a sequential numerical list of
the clients is 4GB. Scary prospect though.

~~~
endymi0n
Not too far off.

There's your discovery layer:
[https://en.wikipedia.org/wiki/Kademlia](https://en.wikipedia.org/wiki/Kademlia)

C&C:
[http://www.reddit.com/r/netsec/comments/2pmmfu/using_the_blo...](http://www.reddit.com/r/netsec/comments/2pmmfu/using_the_blockchain_as_a_cc_for_a_botnet/)

Persistence Layer:
[https://github.com/cockroachdb/cockroach](https://github.com/cockroachdb/cockroach)

Dissemination Layer:
[https://en.wikipedia.org/wiki/Gossip_protocol](https://en.wikipedia.org/wiki/Gossip_protocol)

Sprinkle in some AES and public / private keys for verification and you're
done.

Sequential list isn't needed.

(well, all the robust & stealthy large systems engineering together with the
low level exploit knowledge is probably a little too much for one person to
pull it off, but for a Hacking Team or nation sized actor it's quite doable)

------
yodon
What is the telecom law, if any, on text message delivery? It seems like the
first network to announce "we block all stage fright export messages before
they hit your phone" would win a huge PR coup (and they'd be able to do so
much faster than trying to prep updates for every device they ever sold).

------
pakled_engineer
I disabled hangouts on a device I couldn't build from source, then got a
constant alert it was trying to start again (Hangouts has unexpectedly stopped
notice) so blacklisted it in startup scripts. Google gives you no option to
remove it.

~~~
ocdtrekkie
Could it still be selected as the default messaging app? I had no issue
disabling Hangouts on my Android 4.4 device.

~~~
pakled_engineer
Reboot your phone, it will start again and try to make itself default
messaging app unless you edit init .rc scripts, on 5.1.1 Android anyway.

~~~
ocdtrekkie
I recommend not being on Android 5.x.

------
codeshaman
When a vulnerability like this becomes public, I always wonder - how many
people knew about it before it became public, for how long and how much has it
been exploited.

And I also wonder how many more critical exploits are known and used by
'hackers' or agencies today while we have this puffy feeling that our
data/communication is private and secure ?

The conclusion I can draw from this: never trust that your phone is secure. Or
computer for that matter.

------
lsaferite
The patches he submitted were to the kernel?

He says it will take a long time for those patches to make it to devices, but
I question the validity of the assertion simply because Google has moved more
and more into the Play framework. So, unless it is truly a kernel bug I would
expect that it's fixable in the framework ore target application.

Please correct me if I am mistaken though.

~~~
s73v3r
Lots of things are still not in the Play framework. Stuff like this, for
instance.

------
Zikes
At first I thought Stagefright was the catchy name for the bug, and I expected
to see a nifty logo for it as well.

~~~
david_shaw
It's not, but it seems like the term is being used that way anyway. I've heard
"is your device vulnerable to Stagefright?" quite a few times already.

------
kitd
I assume this can be avoided to some extent by switching off Autodownload of
MMS messages in Hangouts?

------
justin66
I heard the radio bit and thought it sounded reasonable. The one explanation
that was missing was how this exploit fits in with those apps' permissions.
The article makes it sound as though the compromised apps get root, which
shouldn't really be possible.

------
mSyke
I know this will soon be patched, but would it be theoretically possible to
run a root exploit that would root a phone and install a superuser management
app? Root your phone with just a text. That would be an interesting exploit.

~~~
G3E9
We're thinking along the same lines. It'd be interesting to root your device
while navigating around any voided warranties on the basis of your carrier's,
or Google's, neglect (I am definitely not a lawyer.)

AND... could one possibly use this exploit to push their own patch? Could
someone who has a payload with a fix mass-message all android users? That
payload could also try and send itself to others within the then-patched
device's contact list.

------
AdmiralAsshat
This is definitely a huge problem, but I only see it being a doomsday scenario
_if_ you're using the default SMS app that ships with your phone (and hence
cannot be updated with a patch pushed by your OEM). Assuming you're using
Hangouts or Messenger[0] (which is sorta like Hangouts without Gmail),
however, as your default SMS app, you should be fine as soon as they patch it.
And both of those apps are freely available to download, meaning you could
always grab them once they're patched and start using them as your default SMS
app if you're worried about it.

[0]
[https://play.google.com/store/apps/details?id=com.google.and...](https://play.google.com/store/apps/details?id=com.google.android.apps.messaging)

~~~
Matt3o12_
Try to convince the average user to install a new app, and make it the default
sms app. He will neither want nor understand the trouble of learning a new app
for something that works just fine. And honestly, I don't blame them because
that is not something they should have to worry about.

Android should rather work on a feature that allows them to patch their not-
so-open operating system just like Apple does (or use a concept that is close
to the one in the GNU/Linux world but I don't think Google is gonna do that).

~~~
AdmiralAsshat
This is true, but in the case of Messenger, you should consider the following:

\- It's made by Google (i.e. the guys who made the phone's stock SMS app)

\- It has nearly identical navigation to the stock "Messages" app, simply with
a much cleaner interface

\- It does not hook into anything other than your contacts, unlike Hangouts

For all intents and purposes it's the successor to the stock app, made a
separate app _specifically_ so that it can receive timely updates without
being tied to a system update.

Having used both, there's really no compelling reason not to switch to it
(sans the grandma-with-a-smartphone edge case who has never opened the Play
Store).

------
leke
This is why my next phone will be running Unbuntu.

~~~
bitmapbrother
Because Linux is free of exploits...

~~~
samuellb
Well technically Android runs Linux (the kernel) too. But Ubuntu can be
updated. My HTC Android phone only had a single update (almost when I got it)
and it's been vulnerable since.

I'm not going to replace my phone each time there's an exploit that the
manufacturer doesn't fix. So I don't think an Ubuntu phone would be such a bad
idea.

~~~
leke
Yep, this is why I said it. I assumed everyone knew about Ubuntu's update
strategy.

------
MBlume
If anyone's looking, MySMS has the relevant setting behind "advanced settings"

------
dang
What's the best URL for this story? It has been posted many times already.

~~~
danyork
There are a good number of stories now out about this:

[http://www.techmeme.com/150727/p8#a150727p8](http://www.techmeme.com/150727/p8#a150727p8)

It seems one of the original reports is here:

[http://blog.zimperium.com/experts-found-a-unicorn-in-the-
hea...](http://blog.zimperium.com/experts-found-a-unicorn-in-the-heart-of-
android/)

I'd also note that it seems this is research that will be presented next week
at Black Hat and then again at DefCon.

~~~
dang
HN does prefer original sources generally, but breaking stories like this one
often produce articles with additional reporting as they develop. So it's not
obvious that the original post has the most relevant information at this
point. If someone wants to figure out which URL does, we can change the HN
thread to use it. It's currently pointing to the npr.org story rather
arbitrarily, but perhaps that's as good as any.

------
taco_emoji
Anybody know if Textra is affected, if I turn off MMS auto-downloading?

------
anh79
Thanks Android. You make life much easierr :)

------
lop9ctrunghatq
www.facebook.com/thiet.bao.75

------
alphanumeric0
Just a_text

------
infinity0
It's annoying that the media continues to incorrectly spin Android's _security
updates_ problem as somehow caused by its _open ecosystem_ (which itself
_barely_ meets the definition of open) and implying that Apple's _closed
system_ is the solution.

GNU/Linux distros are free open source software, and don't suffer from these
sorts of update problems. Many distros have special high-priority security
update channels that are enabled by default.

Please, call this out if you have friends writing / spreading such nonsense.

~~~
redml
What I got from the article is that this is a hangouts bug which is part of
the closed ecosystem of google apps anyway

~~~
dragonwriter
Then you didn't read the article; it's a video handling bug; the article notes
a difference between Hangouts and other messaging apps in video handling which
makss it worse with Hangouts, but the fundamental problem is with video
handling, not the messaging app.

------
jbb555
"The bad guy creates a short video, hides the malware inside it and texts it
to your number. "

How can you "text" a video? Texting uses.... text. The clue is in the name.

Not bothering to read the rest of the article.

~~~
daigoba66
MMS is colloquially known as texting, just as is SMS.

~~~
dragonwriter
And, on most devices, there's no UI distinction between the two in use, MMS vs
SMS is just a distinction the phone makes for messages by content.

~~~
soylentcola
Additionally, when someone using a non-standard messaging app (like whatever
the default iOS app is), sends a message to my Android phone, it doesn't come
through as an SMS but rather as an "attachment" to an MMS message.

------
pmalynin
I only wish that there'd be a way to flash a custom ROM on an Android phone...
hmmm....

