Hacker News new | past | comments | ask | show | jobs | submit login

Summary: MMS messages can cause Android phones to decode video with libstagefright, which is a C++ library with vulnerabilities and insufficient sandboxing, leading to remote code execution without user interaction.

You can partially mitigate the risk by disabling auto-downloading of MMS messages in whichever app you have set to handle text messages, such as Messaging or Hangouts. THIS IS URGENT. While the precise details of the flaw have not been publicly disclosed, this disclosure is sufficient for a skilled person to rediscover the flaw, which means that there is a considerable risk that someone will systematically use it on all the phone numbers.

For the common Hangouts use case: Settings -> SMS -> Auto Retrieve MMS -> Uncheck

Are those the steps for Android 5/Lollipop? I don't see any of those menus in settings.

edit: Ah it's in the actual hangouts app that you have to go to settings. Also if those settings are greyed out then you might not have Hangouts handling your SMS messages, so run the Messaging app instead and go to its settings to disable auto open of MMS.

Any idea why the auto retrieve mms checkbox would be checked and disabled so I can't uncheck it?

Yeah that threw me for a loop too, I think it's because Hangouts isn't configured to handle SMS for you. Check the Messaging app and its settings. It has a similar disable auto retrieve MMS setting.

Messaging on my Moto G (Android 4.4.4) does not have this setting.

Edit: Messaging (default app) doesn't have this setting, but Messenger does. I tried Hangouts for awhile but didn't like it.

nobody does. but Google is trying hard to make you use it by deprecating the gvoice app.

now if you want to make calls from your gvoice number, you must use hangouts.

funny how they think forcing newer apps is the solution to the g+fiasco

Messaging on Moto G2 (Lollipop) does have this setting under MMS. Disabled it from there.

NPR said the Messaging app is safe... ?

Seems to me Google could just update the "Hangouts" app to handle this, assuming people download the update. Yes or no? I think news articles are saying you have to wait for your service provider to issue an update? Sounds like bad advice.

For clarification, this is the Settings option -inside- Hangouts, not Android settings.

Contrary to the NPR article, somebody further down this page said this hack may affect Messenger users too. So I'm sticking with Hangouts!

I tried this and it downloaded automatically the MMS anyway.

It's likely too late for panic, everyone is probably owned already. It has the best infection vector ever, unauthenticated, unsolicited messaging with an easily discoverable addressing method. What more could a worm want?

>It's likely too late for panic, everyone is probably owned already

That seems unlikely given that the researcher hasn't publicly released the details of the hack, and he says that "he does not believe that hackers out in the wild are exploiting it".

There are tens of thousands of extremely skilled hackers selling exploits on the order of $10K to $100K. I'm fairly certain someone has been exploiting it. Not everyone is a good guy in the world.

If you're taking advantage of the law of large numbers, then it's only fair to use it in reverse: There's literally tens of thousands of iphones used by security researchers. One of them would have received a version if this if it was used on such a wide scale..

That's absolutely not true, your certainty is based on a fundamental misunderstanding of exploits and the amount of time and energy required to find them.

I don't see what's "not true" about it. A worm vector of this scale is certainly worth the R&D investment to find exploits, and it is indeed correct to assume that the vulnerability has been found before.

Whether it has actually been used, given the value of the bug, is a different story. But it should absolutely be treated as "in active use" already, especially by state or state-sanctioned actors (like Hacking Team).

What's not true is that this isn't in the wild. Period. You can make all the points about urgency you want and I will agree completely, but this is not currently in the wild, as far as anyone knows. Saying it actually is being actively used would be factually inaccurate based on the information known right now.

But that's the point: as far as anyone knows - more specifically, as far as anyone has admitted.

We do not have a 100% reliable way to determine whether an exploit is known by others (and likely never will have), and as such there is only one reasonable assumption left to make: assume that it is out in the wild and known by others.

This isn't a new concept - threat modelling requires that you assume every worst-case possibility is reality, so that you can guard against it. This was formalized in the 19th century as Kerckhoff's Principle[1], and undoubtedly existed before that in military circles. This applies equally to software security.

So given that we simply don't and can't know whether it is out in the wild, the most 'correct' assumption is that it is - because that lets us protect ourselves against that worst-case scenario, which may or may not be the case.

[1] https://en.wikipedia.org/wiki/Kerckhoffs%27s_principle

If you think I'm arguing against the idea of treating the vulnerability like it's in the wild, then you are mistaken. I'm simply stating the fact that no one has any evidence that this is being actively used in the wild.

Are you refuting that fact, or are you not refuting that fact?

Wouldn't you know if you'd received a sketchy MMS from a number you didn't recognize?

The most standout part of this attack (to me) is that it can be 100% silent. The fact that the bug hits before the text notification is fired means that an exploit could potentially stop the notification, delete the message, and go on tramping throughout your phone doing whatever it wants leaving absolutely no indication to you the user that you've been hacked.

Not if the attacker deletes the message post-pwnage.

But wouldn't there be a trail of notifications, or something?

If malware has root access it can alter everything on the phone without you ever seeing it. Any information falsified, all detection tools subverted.

Possibly, if Google is logging everything on their servers. It should be relatively easy for them to find out who got infected.

Proper pwnage would erase the MMS as soon as the exploit was complete. The only record of receipt would be on you itemized carrier bill.

Except if the MMS went to an iPhone or other device not affected. Unless you can determine Android/iPhone from just a #, apple/blackberry/MS phones would be full of corrupted MMS messages.

Why would it be corrupted? Just because it contains a malicious payload doesn't mean it has to be unviewable normally. Could even just tack onto all outgoing MMS by default and never raise anybodies suspicions.

Even worse, if it's a worm, it's likely it would come from somebody you know.

Is there a way to see if one is "owned"? Could we run a command or view a menu that would list an extra binary? Could we try to exploit ourselves in some way, like visiting a special website?

We know about the vulnerability, not the payload delivered through it. There could be thousands of them with wildly varying characteristics. There could be none.

Some of them could be rootkits, and have patched filesystem and process explorers to hide themselves. Some could be called virus.exe.

But no, you will never know that you haven't been compromised. In the coming weeks, we may learn about some of the specific malware that spreads this way, and you may be able to test your phone for it, but finding nothing does not mean you haven't been owned by something more exotic.

> none there's at lest one. see: team hacking android source code leak

very convenient timing for all that.

I don't see where superuser2 said what you attributed to them.

Did they edit their comment between the time you quoted it and the time I posted this comment? Or did HN's quirky rules regarding newlines (gotta put two if you want to display one) change the meaning of your comment?

I think gcb0 meant to quote "none" and then reply on the next line, but commentary ended up on the same line as the quote.

I also suspect this, but was asking a primary source for the Official Dirt. :)

I occasionally get picture or video messages from iPhones on my Android phone which just crash the default Messaging app. When this happens, it's not possible to even delete them as the app crashes immediately upon displaying that message. The only recovery I've found is to delete ALL messages. Interestingly this has never occurred when using Hangouts as the messaging app, but the fact that a presumably legit (these were received from known senders) MMS message could crash the app indicates that there are flaws in the programming.

Independent of the question if "everyone" is owned is the interesting (and scary) possibility that specific people have been (or will be) targeted.

There would be a lot of side-effects being noticed if it were being exploited as widely as you suggest. For example, carriers would notice lots of unusual activity; MMS step-change at a minimum.

Why infected? Is there any indication that the exploit can give root access and be used to install things?

Presumably anyone exploiting this would end up sending such messages to many iphones as well, where they could not delete themselves. If there are no suspicious messages arriving on iphones, that suggests it may not be being widely exploited.

maybe, they could check to see if a phone number supports imessage which would reduce the number of iphone users.

they may also blast texts out to android only phone numbers (maybe if you gave your phone number to an android app)

That leads to an interesting security question: How is Apple's iMessage lookup service protected?

> maybe, they could check to see if a phone number supports imessage

Is that possible? I haven't touched iOS in a long time.

It's possible through the UI. I'm sure it could be automated, though I don't know how.

When you send a text message from one iOS device to another, it will be blue if it was sent via iMessage, green otherwise.

Again, not sure how this could be automated en masse, but I'm sure it's possible.

At the very least, there'd be a wave of unsolicited messages on android phones that don't auto-download attachments.

Note; the bug is in the Stagefright media library (https://source.android.com/devices/media.html) - so while MMS is the method for delivery here, it may not be the only method.

Nuking MMS from orbit won't patch your phone.

Ok, but normal people are essentially screwed.

- They don't read hacker news so they aren't aware of this.

- They won't be able to disable auto downloading of MMS even if they did hear about it (think grandparents)

- They won't ever get an update to their Android phone to fix it (or be able to update it if one arrived)

Instead, why don't Android phone updates work like Chrome's updates do? I installed Chrome v1 years ago on my parents computer and today they are running version 44 (without any intervention on my behalf). They are fully up to date and protected without them having to even know about or run any sort of update.

Agreed. Even for those of us on Hacker News who know how to deal with this, what's our incentive for staying on Android? I really love the user experience of Android, but all this makes me think about is the next exploit and whether iPhone or even Windows Phone are more secure. At the very least they get patches in a timely fashion.

It's hit the news, so you don't have to read HN to be aware of it. It's also quite easy to disable auto downloading of MMS if given instructions.

decode video with libstagefright, which is a C++ library with vulnerabilities and insufficient sandboxing

Why? Why, if it is known to be a poorly written library, is it still part of an official release? And why the hell are client messages allow to specify the level of media down to the library linkage? Wtf.

The app is probably using MediaPlayer/MediaCodec and that uses stagefright under the covers.

The author is trying to build up hype for their vulnerability. Maybe if they shit on stagefright enough they can even start selling t-shirts.

Alternatively use a different SMS/MMS client such as TextSecure.

To quote moxie: "We don't do any pre-processing that involves stagefright. There are no technical details at all available about this vulnerability (for maximum hype), but you'd have to physically tap on the media and then click through a warning about playing media insecurely before stagefright got involved."


See also: https://news.ycombinator.com/item?id=9959070

Hopefully google paid and/or blackmailed carriers into filtering these mms messages. I think that's really the only possible remediation when at least 50% of android phones are functionally un-updatable.

How would you filter out the offending MMS messages? People send legitimate videos as well; is the bug such that it's obvious which videos contain exploits?

As a brute-force approach, perhaps you could send the video through otherwise identical patched and unpatched emulators and compare post-playback memory and filesystem states?

It's also probably possible to extend the patches to detect malicious input.

Someone could probably also create a video with a payload to hot patch libstagefright.

> Someone could probably also create a video with a payload to hot patch libstagefright.

This is brilliant. Assuming that it doesn't cause further problems.

Ok, I guess I better turn MMS auto-retrieve back on then ;)

This is cool idea. One problem may be that different versions of Android have different versions of libstagefright and just hot-patching that or dropping a replacement may brick older phones.

Here's a more modest idea: Google should immediately issue update for Hangouts and Messenger app that at least disables automatic MMS retrieval. Many users have automatic updates for those apps turned on or maybe at least they'll see a notification about app needing approval to update.

The exploit author told a Forbes reporter that Fennec (Android version of Firefox) has already been patched. If that's correct, that seems to imply two things: (1) MMS is just one of many vectors and (2) apparently somehow the exploit can be mitigated at the app level.

Firefox packages its own copy of the libraries it uses, including the stagefright library. They patched their copy in the new release.

I tried chmod 0000 libstagefright* but my rooted 4.4.4 wouldn't boot afterwards. Any ideas on how to disable the libraries without completely breaking android?

TextSecure does not decode MMS attachments until you explicitly open them. [0] Switching to it as your default SMS handler should protect you from drive-by infection through malicious MMS payloads.

[0] https://github.com/WhisperSystems/TextSecure/issues/3817

Hopefully those who make texting apps will be sensible and push out an update that 1) has a message about the vulnerability and 2) that disables auto-downloading of mms.

Edit:And I say this because even though old phone don't get updated, their apps do. Tenuous at best, but still better than nothing.

The equivalent fix for the Android Google Voice app is... not needed, because it still doesn't handle MMS.

Yes, I know that Hangouts has GV integration, but it's pretty subpar. There isn't, for example, a decent Hangouts Chrome extension.

Pretty sure I've started receiving MMS messages on my google voice number. It looks like support was added around November 2014.


The caveat is that MMS media attachments are not accessible in either the Google Voice Android app, or the web UI. They are (IME) only delivered as attachments to the email copy of the MMS.

Have you tested it recently? I just received a picture and it shows up as expected in hangouts, which handles my GV texts now.

I haven't integrated Hangouts with Google Voice, and I never intend to. I'm still using the standalone Google Voice Android app and the web interface.

Ah, I don't think you'll be getting many new features if you don't switch over.

Yeah, I don't call that "support", though.

Why not?

Can you confirm whether this is specific to videos or whether it includes images? I just received a rather generic and very unexpected MMS from a friend and wonder if there's a worm on the loose already.

Wondering the same. I got a weird Google Chat message through Hangouts a few months ago. Tried to uninstall Hangouts but it's a "system app" and can't uninstall it.

Applications are open for YC Summer 2020

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact