Echoes of Stagefright: Samsung Releases Bugfix for All Phones Sold Since 2014

Back in July 2015, Android was hit by a remotely exploitable bug which got a lot of attention. The bug, known as Stagefright, could be exploited by a remote attacker simply by sending an MMS. With Stagefright, the attacker only needed to know the phone number to get remote code execution and privilege escalation. The recipient would not have to even open the message to be infected with malware.

This week, Samsung released a bugfix for all phones produced since 2014. The reason? A bug which is very similar to Stagefright. This bug also let attackers infect phones with malware simply by sending MMSs, without the target even having to open the MMS. As there has been some improvement to the underlying security of Android an attacker would now have to send 50 to 300 MMS messages to exploit the bug. According to the Google researcher who found the bug, there are ways of sending an MMS without generating a notification message as well. Of course, the first thing an attacker would install would be a remote administration tool, usually known as a RAT, which could be used to remove any traces of received messages.

The exact method exploited with Stagefright and now with this Samsung bug is not very important. As users we want our smartphones to be as useful as possible, and to use them to communicate with friends and family. The underlying security vulnerability is that with all the different communication protocols there are a lot of different attack surfaces that can be exploited. This is nothing new, as even back in 2001 you could crash a Nokia phone by sending a specially crafted text message.

Here are some examples of how the different features in your phone can be exploited:

• Underlying network protocols, such as the chips used to communicate on 4G and 5G have various security issues.
• Bluetooth and WiFi implementations have their own sets of issues.
• Operator communication protocols are similarly affected, e.g. issues with SIM cards.    
• Attackers have also exploited messaging protocols such as Whatsapp. It is reasonable to assume that other messaging apps, such as Telegram and Facebook Messenger has similar issues.

Common to all of these examples is that they can be exploited without any action performed by the end-user. It is enough that you connect to a WiFi network, have your phone connected to a mobile network, or that a messaging program is running in the background when someone sends you a message. Of course, some of these attacks might require physical proximity, such as for Bluetooth, and to exploit the 3G/4G chipset would require an attacker to configure a fake base station, which is not trivial.

What can you do to avoid this type of attack? Sadly, the only thing you can do is to make sure that your device is updated, and that you still receive security updates. If you’re Jeff Bezos the answer might simply be to stop using smartphones altogether.

We at Okay assume that there are criminals exploiting bugs like this to target your customers, and do our best to protect your authentications and transactions. To read more about how we do it, visit our SCA product pages.