[VULNERABILITY?] Remote wipe via iframe USSD trigger - HTC Rezound

I wanted to add a post here due to the severity of the bug. (Original post here: http://forum.xda-developers.com/showthread.php?t=1904629).
I've tested with *#*#4636*#* and nothing is displayed on my dialer, as it does when you type the code in now (4.0.3 latest release from Verizon). Trying with other numbers leave the numbers in the dialer. Tested with FF and Chrome. Stock dialer.
Does anybody know any safe codes we can try to confirm or deny that this vulnerability could also affect HTC phones?
Edit: I was able to launch the HTC Function Test ( *#*#3424#*#* ) using this method. If there is a reset code I would bet it is exploitable.
Edit 2: I found a list of codes here: http://forum.xda-developers.com/showthread.php?t=1683634 which could also be tested.
Also sample HTML for you to test (will bring up the HTC Functions Test as if *#*#3424#*#* were entered in the dialer):
HTML:
<frameset>
<frame src="tel:*%23*%233424%23*%23*">
</frameset>
Place in an HTML file, host it somewhere. I wouldn't trust ANYONE's links unless you are prepared for the worst.
If somebody with the official VZW rom is brave enough to test out the factory reset codes we can narrow the scope of this down.

killsforpie said:
I wanted to add a post here due to the severity of the bug. (Original post here: http://forum.xda-developers.com/showthread.php?t=1904629).
I've tested with *#*#4636*#* and nothing is displayed on my dialer, as it does when you type the code in now (4.0.3 latest release from Verizon). Trying with other numbers leave the numbers in the dialer. Tested with FF and Chrome. Stock dialer.
Does anybody know any safe codes we can try to confirm or deny that this vulnerability could also affect HTC phones?
Click to expand...
Click to collapse
this bug is being reports for Samsung TouchWiz devices only. we are safe.

Sorry, but you are very very ill-informed.
This bug affects all android devices. We have two problems here, 2 leads on from 1.
1) Does the device launch USSD (or other similar codes) from the browser automatically (Most stock diallers will do this, certainly both Samsung and HTC DO!)
2) Does the device has a USSD (or similar code) that allows for the device to be wiped without confirmation (most samsung and htc devices do! although the code to trigger it can vary from device to device)
Samsung and Stock Google have patched this in recent builds, so if your up-to-date you should be safe, however no evidence has been obtained to show that HTC is safe (or even knows of the problem).
In short, if there is a code to wipe your device then you most likely vulnerable

*#06# shows imei on HTC, an here is page where you can make sure HTC is vulnerable too: mk.am/m/ussd.html
The only thing is I'm not quite sure that HTC has USSD for factory reset or wipe.

These work on some htc phones:
##72786#
*#*#7780#*#*
*#7780#
*#767*3855# - this one, if it works will format your partitions, recovery will not be a simple task BE WARNED!

synisterwolf said:
this bug is being reports for Samsung TouchWiz devices only. we are safe.
Click to expand...
Click to collapse
Does HTC have such a reset code? I've seen various posts say that HTC does have a reset code.
I was able to get to the HTC Function Test with this method (3424) on stock browser, FF and Chrome. If there is a similar hard reset I think this would work for that too.

Lennyuk said:
These work on some htc phones:
##72786#
*#*#7780#*#*
*#7780#
*#767*3855# - this one, if it works will format your partitions, recovery will not be a simple task BE WARNED!
Click to expand...
Click to collapse
Any souls out there braver (or perhaps in a better position) than I to try these out?

Lennyuk said:
These work on some htc phones:
##72786#
*#*#7780#*#*
*#7780#
*#767*3855# - this one, if it works will format your partitions, recovery will not be a simple task BE WARNED!
Click to expand...
Click to collapse
tried all 4 codes on my htc rezound. nothing happened.
so im sorry but it looks like you are miss informed.
The Factory Reset. One of those last ditch efforts that many of us have a fair bit of experience with. However, a malicious embed code could potentially do the exact same thing to your Galaxy S III. The Unstructured Supplementary Service Data (USSD) code (which we won't reproduce here) apparently only works on Samsung phones running Touchwiz, and only if you are directed to the dodgy destination while inside the stock browser (rather than Chrome, for example). This means the Galaxy Nexus is unaffected, but it can work the same dark magic on the likes of the Galaxy S II.
We've been trying to murder a (UK-based) GS III here at Engadget, but with no luck as yet -- we can cause the malicious digits to appear in the dialer, but we can't force the stock browser to visit them as a URL, even when trying a bit of URL forwarding and QR code trickery. However, this particular GS III has been rooted in the past, even though it's now running an official TouchWiz ROM, and that may be interfering with the process.
Aside from our own experiences, the evidence for the vulnerability is certainly strong. It was demonstrated at the Ekoparty security conference last weekend, during which time presenter Ravi Borgaonkar also showed how a different code could even wipe your SIM card. See the video after the break for the evidence.
Update: Tweakers.net has been able to replicate the security hole on a Galaxy S Advance, while The Verge has confirmed that it works on both the Galaxy S II and the AT&T Galaxy S III. Samsung has told us it's looking into the issue.
source
There's a lot of confusion as to exactly which Samsung phones are vulnerable to today's big scary USSD vulnerability, which could cause some phones to factory reset themselves upon visiting a malicious web page. Some Galaxy S2 and S3-class phones are susceptible, others less so. In some cases it depends if you're running the latest firmware or not. In others, there's no patched firmware available yet.
Samsung will surely be hard at work rolling out fixes for devices that remain susceptible, but in the meantime we've got a quick, easy to tell if your phone is at risk, without taking the plunge and running the malicious code itself. Find out more after the break.
First off, note that today's glitch only affects Samsung phones. Our testing method may produce different results on other manufacturers' devices, but it's important to remember that it's impossible to use this exploit on a phone that's not running Samsung's TouchWiz software. Also, note that we don't see any secret information from your phone during this test. If in doubt, right-click and check the source code to see exactly what we're doing. It's a pretty simple test.
With that in mind, head to this page on your Samsung phone's stock browser. You'll find it at androidcentral.com/ussd-test
With this page loaded on your phone, simply click the button in the embedded area below to see if your Samsung phone is at risk. The test works by trying to direct you to a benign USSD code, specifically, the one that displays your IMEI on your screen (nothing malicious). If you're using a Samsung phone and a window pops up showing your IMEI number, you're likely vulnerable. If your dialer just loads up showing either nothing, or *#06# in the number read-out, you should be safe.
Let us know how you get on down in the comments. Safe browsing, everyone!
Source

synisterwolf said:
tried all 4 codes on my htc rezound. nothing happened.
so im sorry but it looks like you are miss informed.
Click to expand...
Click to collapse
That is good news, but this is still too early to call this one I think. This vector is open (at least on my phone) as demonstrated by the code:
HTML:
<frameset>
<frame src="tel:*%23*%233424%23*%23*">
</frameset>
(Place in an HTML file, host it somewhere. I wouldn't trust ANYONE's links unless you are prepared for the worst.)
This uses 3424 which opens up the HTC Function Test.
Just because those codes don't work doesn't mean there isn't one available if the vector is open.

killsforpie said:
That is good news, but this is still too early to call this one I think. This vector is open (at least on my phone) as demonstrated by the code:
HTML:
<frameset>
<frame src="tel:*%23*%233424%23*%23*">
</frameset>
(Place in an HTML file, host it somewhere. I wouldn't trust ANYONE's links unless you are prepared for the worst.)
This uses 3424 which opens up the HTC Function Test.
Just because those codes don't work doesn't mean there isn't one available if the vector is open.
Click to expand...
Click to collapse
ran this in chrome and still no go.

synisterwolf said:
ran this in chrome and still no go.
Click to expand...
Click to collapse
Very interesting... what are your specs? Can you try with stock browser?
mine:
HTC Rezound on Verizon, latest stock update available
Android 4.0.3
3.14.605.12 710RD

killsforpie said:
Very interesting... what are your specs? Can you try with stock browser?
mine:
HTC Rezound on Verizon, latest stock update available
Android 4.0.3
3.14.605.12 710RD
Click to expand...
Click to collapse
i deleted the stock browser. chrome is better for me with sign in ability and unlimited tabs. i can load up a stock browser after lunch and see if i can get it to trip.
but im running:
AOKP by neo
global update firm and radio
2.27 hboot
s-off

synisterwolf said:
i deleted the stock browser. chrome is better for me with sign in ability and unlimited tabs. i can load up a stock browser after lunch and see if i can get it to trip.
but im running:
AOKP by neo
global update firm and radio
2.27 hboot
s-off
Click to expand...
Click to collapse
Ah, I believe you're in a similar category as CM users then, these USSD's have likely been removed from your rom.
Anyone else on stock (or willing to go to stock) who would be able to test the wipe codes?

FWIW I installed DialerOne and set it as my default dialer. This no longer executes the USSD automatically for the Function Test, so I hope if there is a valid USSD Reset code it would stop that as well.

Related

USSD Exploit - EVO 3D is vulnerable

I just tested this with a harmless test page with my GSM 3D EVO, and, using the stock browser, the USSD code was executed immediately without asking for confirmation (in this case the test page only used the USSD code for IMEI number, so no big deal). I am using one of the popular ICS+Sense based ROMS from the GSM section, but this will probably affect all the ROMs derived from the official HTC ICS update.
Not too concerned because I use Chrome (which is not affected by the exploit), but this is one more reason to wait anxiously for CM10 to be ready.:laugh:
I ran the test link on this page on my CDMA Evo 3D and it doesn't seem to be affected, but I'm using the default browser from MeanROM ICS 2.6 which is different from the stock ICS browser. My impression from reading a couple articles on this exploit is that it only affects GSM phones.
ramjet73
Just ran the exploit with the default browser in SOS 2.6.1 and it works. Strange since it's based on Mean.
... with Tapatalk 2
Ok so my phone can automatically do a factory reset, bigger deal if you are stock with no backup, that's why nandroids are so important
Signature (Don't ask me for help, couldn't careless if your phone explodes)
On SOS 2.6.1, stock browser and my phone does not seem to be affected.
Checked it through this website http://dylanreeve.com/phone.php
If your phone is vulnerable to the recently disclosed tel: URL attack then this website will cause your phone to open the dialler and display the IMEI code. With other USSD codes it could do any number of other things, including wipe all phone data.
You can find some more information and a simple workaround here: http://dylanreeve.posterous.com/remote-ussd-attack
What does it all mean?!
If visiting this page automatically causes your phone's dialler application to pop up with *#06# displayed then you are not vulnerable. If, however, the dialler pops up and then you immediately see your phone IMEI number (a 14- or 16-digit number) then you are potentially vulnerable to attack.
Click to expand...
Click to collapse
It seems only gsm phones are effected, unfortunately I am in that category, I believe it would be more of an issue if you run a stock phone.
signature( don't ask me for help, as could care less if you phone explodes)
flashallthetime said:
It seems only gsm phones are effected, unfortunately I am in that category, I believe it would be more of an issue if you run a stock phone.
Click to expand...
Click to collapse
From the article linked in my post above:
In conclusion, what is the risk to my phone?
The risk is that, upon visiting a website, a USSD code could begin running in the background, which is undoubtedly a serious breach of security. However, you shouldn't panic just yet: so far, no cases in the wild are known where this security breach has been exploited.
Click to expand...
Click to collapse
ramjet73
We all knew things like this would come to our phones. Members of XDA used to push better security programs for our phones back in the day. I'm tellin ya. Firewalls are going to be a real thing on our phones soon.
Yes I love the fact that miui has a built in firewall app. Always better safe than sorry.
Sent from my PC36100 using xda app-developers app
It seems that even if our Evo 3d shows up the IMEI code when visiting one of the many test pages, we are quite safe from the really harmful codes.
See here for a more detailed explanation.
I tested the factory reset code from the dialer (after a Nandroid backup, of course!!!) and it does not execute on my phone. :good:
I found this article talking about the samsung gallaxy s3 problem. There is also a link in the article to an app in the play store block the USSD codes from executing at all. I tested the app on my phone and it did stop the USSD codes I tested.
Article:
http://www.pcworld.com/article/2010867/samsung-android-hole-also-leaves-sim-cards-vulnerable.html
App:
https://play.google.com/store/apps/details?id=org.mulliner.telstop
Is there a good fire wall app for evo 3d until such a firewall can be integrated with our phones?
I got an update for avast antivirus and apparently the USSD exploit is patched in the update

Official USSD hack list of immune and unsafe ROMs & Browsers

Official USSD hack list of immune and unsafe ROMs​
This will be the official list for ROM's and browsers affected by the USDD code issue and instructions on how to patch it til an official fix is released. Please follow the following steps;
Visit the following link using your phones browser USDD test page
If your MEID info is shown on the screen then the ROM you are using is affected! Download and install TelStop from the Play Store.
After you install the TelStop app visit the test page again. You should now get a "Complete action using" popup with TelStop listed. Select TelStop. You will then receive a warning that this is likely a malicious code.
If your MEID info is not displayed then you are fine.
Report What ROM and browser you used and what your results were.
Source- PCWorld
Affected ROMs (I'm thinking all ICS and older based ROMs are most likely affected unless they are patched)
Stock 2.3 (all releases, all phones)
CM7
Imperium Initiative
peetr's Hybrid
MOF.2.3.5.ish
CM9
Unaffected ROMs
Th3Bill's Jellybean based ROMs (thanks Th3Bill for getting back to me so quick)
Affected Browsers
Stock
Firefox
Opera Mini
Maxthon
Safe Browsers
Opera Mobile gives prompt "Loading of external frame source tel:*%2306%23 suppressed (click to view)"
One thing to mention is that it is the default browser that handles the tel: url. Cm7 stock browser is affected. If you set a different browser as default it will not execute the tel: url. Opera does nothing with "special" URLs like tel:. It wont even open the youtube app when clicking a video link.
Edit: Opera prompts you.
atroph said:
One thing to mention is that it is the default browser that handles the tel: url. Cm7 stock browser is affected. If you set a different browser as default it will not execute the tel: url. Opera does nothing with "special" URLs like tel:. It wont even open the youtube app when clicking a video link.
Click to expand...
Click to collapse
Which Opera, mobile or mini? The sad part is Firefox is affected. I'm installing Maxthon to check it right now.
Edit: Just tested Opera Mini and Maxthon. No good. Opera Mobile came back ok though. Adding results to OP.
Mobile.
It actually prompts you. Says will not display frame. You must click link again to enable.
Exact text:
Frame content not displayed
Loading of external frame source tel:*%2306%23 suppressed (click to view).
Generated by Opera.
I need somebody to check ICS please and report.
ICS and Chrome is affected too.
Sent from my SPH-D710 using Tapatalk 2
Omar04 said:
ICS and Chrome is affected too.
Sent from my SPH-D710 using Tapatalk 2
Click to expand...
Click to collapse
That's what I was afraid of. What ROM are you running on what device?
Using peetr's Hybrid rom and stock browser and its affected.
Sent from my MB855 using xda premium
Thanks for this. I was reading about this earlier.
Sent from my GT-I9300 using Tapatalk 2
Lokifish Marz said:
That's what I was afraid of. What ROM are you running on what device?
Click to expand...
Click to collapse
Stock Official ICS build FH13 on Galaxy S II E4GT
First was reported that only affected Samsung ICS Touchwiz Devices but no it affect Android All devices almost all browsers. Opera, Chrome, Boat, Fire Fox. Need to test Dolphin but it seem all of them are effected and all android devices
Edit: just tested Dolphin Browser and the code runs through too. So in definition every browser is affected.
Sent from my SPH-D710 using Tapatalk 2
Jokers CM9 affected too. What is all this about? What does all this mean?
N/m
Using MOF.2.3.5.ish v1.4 and Dolphin Browser and the test failed. Telstop fixed the problem. Then Lookout Mobile updated to include the same functionality as Telstop (just select Lookout as default action and a safe link will go through to the dialer and an unsafe one will come up with a warning and the option to cancel action or continue)
The Verge report about the exploit.
http://mobile.theverge.com/2012/9/2...hwiz-remote-wipe-vulnerability-android-dialer
Sent from my SPH-D710 using Tapatalk 2
Some of the comments are hilarious. The thing is that USDD codes are a part of the dialer and have been around for some time. Techs use them on a regular basis so blocking the codes is a bad thing. In some cases USDD codes are the only way to fix some issues in a timely manner. It probably has to do with the ability to dial a number via a webpage but this goes a little too far. A browser should never have this level of access. This IE levels of stupid.
Happened to me I'm on stock mopho 2.3.5 only root access
Sent using Xda App
I am lookink into this problem and this is really only a problem of ussd codes, because ussd does not need to be confirmed.
However providing tel: data type from browser is normal, so you can dial right from it. Any other number must be confirmed by dial button.
The question is, if JB browser is really not affected, or JB dialer just do not handle *#06# ussd code. I did not try it.
There should be exception for usage of * or # marks with VIEW intent, in the dialer I think.
On the other side, from what I know, none of ussd codes, that does not need to be confirmed by dial button, are not interactional with service provider.
These ussd codes are just for running activities. Nothing else. You can run the activity, but you cannot change anything.
If I am mistaken and there exists some ussd code, that does not need to be confirmed and changes something or sends some data somewhere, please tell me.
Hmm, just tried most of codes in my rom. Most of them must be confirmed by dial button or leading to programming menu, where you must enter password or just providing onscreen info about version or imei, etc.
*#*#4636#*#* just starts phone info activity and there is no way to continue browsing this activity from the browser.
My results are, that I don't see any security issue here.
Just watched the video. Samsung and their touchwiz - what more can I say.
One link, if you don't understand, what am I writing about.
http://www.theregister.co.uk/2012/09/25/samsung_flaw/
This is really only Samsung problem and his inability to secure such thing like wiping whole phone by a password.
On MoPho stock 2.3.5. Boat Browser is affected. Interestingly, RoboForm, which has it's own browser is not.
peetr_ said:
Hmm, just tried most of codes in my rom. Most of them must be confirmed by dial button or leading to programming menu, where you must enter password or just providing onscreen info about version or imei, etc.
*#*#4636#*#* just starts phone info activity and there is no way to continue browsing this activity from the browser.
Click to expand...
Click to collapse
(check your PM)
In most cases many folks will be fine as long as they pay attention to what's going on. The other side to this is that the Electrify/Photon family of phones was sold world wide and there are some USSD codes that are specific to the carrier and these codes are generally built into the dialer. If you know what device and what carrier someone is one you can cause a lot of panic. For obvious reasons I'm not going to go into specific examples but those that have pranked somebody using USSD codes know what I'm talking about.
The safest bet for those that are concerned is to use a third party dialer that doesn't process USDD and command codes. I personally use Dialer One as my default dialer.

About Android MMS Stagefright exploit

How can Android system be hacked just by one MMS? I heard from news sites that there was found an exploit for 95% of Android phones (Android 2.3+) that can take control of the whole device just for one MMS and without letting you know. How can it be possible and how I can prevent it?
P.S.: I don't want to hack nobody's phone as I have no friends. Just curious.
Sent from my GT-I9301I using XDA Forums Pro.
mihai.apostu98 said:
How can Android system be hacked just by one MMS? I heard from news sites that there was found an exploit for 95% of Android phones (Android 2.3+) that can take control of the whole device just for one MMS and without letting you know. How can it be possible and how I can prevent it?
P.S.: I don't want to hack nobody's phone as I have no friends. Just curious.
Sent from my GT-I9301I using XDA Forums Pro.
Click to expand...
Click to collapse
Heres some useful info:
http://www.cnet.com/news/researcher-finds-mother-of-all-android-vulnerabilities/
That's some info, but not really anything useful. Does this mean Google has a patch, will they be pushing that our or will there be ways to patch custom ROMs sooner even? These are all unanswered, though would be nice to know...
"As soon as the malicious text is received, features built into Stagefright to reduce lag time for viewing videos process the video to prepare it for viewing. That processing apparently is enough for bad guys to get their hooks into the platform and take control." - cnet
I see it like this:
1. MMS with video arrives
2. Messaging app loads the video in Stagefright where it will processed for better playback.
3. Video is ready for playing.
As I figure out from Google's Android site about Stagefright, it is a service that take care of video/audio/other media related stuff offline and local.
How can hackers connect with Stagefright if Stagefright is an offline service? And anyway how can an media service recive code to execute as an remote command execution for whole system?
Sorry but I just don't get it at all.
mihai.apostu98 said:
How can Android system be hacked just by one MMS? I heard from news sites that there was found an exploit for 95% of Android phones (Android 2.3+) that can take control of the whole device just for one MMS and without letting you know. How can it be possible and how I can prevent it?
P.S.: I don't want to hack nobody's phone as I have no friends. Just curious.
Click to expand...
Click to collapse
Here's further info. Google has apparently already sent the patches, 7 in all, to the various phone manufacturers.
Because of fragmentation, though, some of them may never send out these fixes. Since these have assumedly been committed to the source code online, they should theoretically be available for download at some point as well. However, you'd (likely) need to be rooted to apply them.
In the meantime, go into your SMS application (usually Hangouts these days) and turn off automatic MMS retrieval. Then, do not accept any photos or videos from anyone you don't know. I am not sure, but I worry it's also possible you might get it from someone do know who is already infected, so just operate with an abundance of caution overall, I guess. And keep an eye out for news here, because it will probably be one of the first places they become available.
mihai.apostu98 said:
"As soon as the malicious text is received, features built into Stagefright to reduce lag time for viewing videos process the video to prepare it for viewing. That processing apparently is enough for bad guys to get their hooks into the platform and take control." - cnet
I see it like this:
1. MMS with video arrives
2. Messaging app loads the video in Stagefright where it will processed for better playback.
3. Video is ready for playing.
As I figure out from Google's Android site about Stagefright, it is a service that take care of video/audio/other media related stuff offline and local.
How can hackers connect with Stagefright if Stagefright is an offline service? And anyway how can an media service recive code to execute as an remote command execution for whole system?
Sorry but I just don't get it at all.
Click to expand...
Click to collapse
People connect with Stagefright by sending you the malicious code contained within the MMS. Once that code gets (usually automatically) processed by the Stagefright service already locally present, it exploits security vulnerabilities to hand control of your device over to whomever is waiting on the other end. As for a media service being able to control the whole system, think of how Flash (a media service) and Microsoft had those zero-day UaE bugs that would allow someone to take over your PC. The logistics may be different, but the concept is the same.
If I remember correctly, there are ways to turn stagefright on/off by editing your build.prop file (easily found on XDA). I don't know if there is another subservice or what that could be running, and I haven't devved since Android 4 dropped, so don't get your hopes up.
Hope that helps.
I gather that Google has a patch. Has it been pushed out to Nexus devices?
pomeroythomas said:
If I remember correctly, there are ways to turn stagefright on/off by editing your build.prop file (easily found on XDA). I don't know if there is another subservice or what that could be running, and I haven't devved since Android 4 dropped, so don't get your hopes up.
Click to expand...
Click to collapse
Excellent idea, +thanks. Et voilà, what appears to b-e in my KitKat:
media.stagefright.enable-player=false
media.stagefright.enable-meta=false
media.stagefright.enable-scan=false
media.stagefright.enable-http=false
media.stagefright.enable-rtsp=false
media.stagefright.enable-record=false​
Now, this can break all kinds of things if you don't know what you're doing. Use a build.prop editor from the Play Store.
I don't know that they all need to be false to plug this hole. But those are the relevant lines.*
UPDATE [10 Aug 2015]: This doesn't affect what the Zimperium scanner says is vulnerable, which may indicate the edit won't protect you. It's unclear at this point.... read the latest posts in this thread for possible info. You can turn off auto-retrieve in MMS, but SF exists at other levels of the operating system. I suppose it couldn't hurt to do the build.prop, but don't rely on it.
voxluna said:
Excellent idea, +thanks. Et voilà:
media.stagefright.enable-player=false
media.stagefright.enable-meta=false
media.stagefright.enable-scan=false
media.stagefright.enable-http=false
media.stagefright.enable-rtsp=false
media.stagefright.enable-record=false​
Now, this will probably break all kinds of things, and I don't know that they all need to be false to plug this hole. But those are the relevant lines.
Click to expand...
Click to collapse
Thanks for the thanks!
You probably won't break much of anything; 90% of today's phones are powerful enough that you don't REALLY need Stagefright handling the media unless you're playing very intensive games on your device. The most you'll likely experience is not-quite-as-good benchmarking numbers.
pomeroythomas said:
Thanks for the thanks!
You probably won't break much of anything; 90% of today's phones are powerful enough that you don't REALLY need Stagefright handling the media unless you're playing very intensive games on your device. The most you'll likely experience is not-quite-as-good benchmarking numbers.
Click to expand...
Click to collapse
I had honestly never heard of StageFright, and I've been using Android since the very first device came out. But if it's possible to run all the usual media, just with a performance penalty, I'm going to change it right now (I did, and this happened).
Also, I just read an article claiming that fragmentation is not so much of an issue these days, because Google Play Services is mandatory. I wonder if it can proactively change something like this, on its own?
voxluna said:
I had honestly never heard of StageFright, and I've been using Android since the very first device came out. But if it's possible to run all the usual media, just with a performance penalty, I'm going to change it right now.
Click to expand...
Click to collapse
The only reason I even know about Stagefright is because my very first, 550MHz, resistive touchscreen Kyocera Zio shipped with Stagefright disabled by default. Haha.
Also, I just read an article claiming that fragmentation is not so much of an issue these days, because Google Play Services is mandatory. I wonder if it can proactively change something like this, on its own?
Click to expand...
Click to collapse
I would assume it's possible (this is just an arbitrary code execution issue, I think), but having had that vulnerability built into pretty much every ROM for the last 5 years could be a problem in that I'm not 100% sure that Google Play Services has the access to shut down the Stagefright service (no root access, etc), so I'm pretty sure Google Play Services would be less of a fix than a piece of software that actively tries to mitigate the breach.
I could be wrong, though; I'm basically guessing as I haven't looked into the malicious code.
Xposed Android will no doubt have either a module for this or existing bugfix modules will be updated to include this vulnerability in the coming days, and due to the nature of Xposed modules taking over services the ROM is trying to run without actually messing with your ROM, I'm sure it'll be a universal fix.
Personally, I just shut off the Stagefright service using my build.prop and am patiently awaiting someone more skilled than I to create a fix.
i could see this as a useful root method for lollipop, and other versions that don't have root methods yet.
Morlok8k said:
i could see this as a useful root method for lollipop, and other versions that don't have root methods yet.
Click to expand...
Click to collapse
Here's hoping!
Morlok8k said:
i could see this as a useful root method for lollipop, and other versions that don't have root methods yet.
Click to expand...
Click to collapse
pomeroythomas said:
I'm not 100% sure that Google Play Services has the access to shut down the Stagefright service (no root access, etc), so I'm pretty sure Google Play Services would be less of a fix than a piece of software that actively tries to mitigate the breach.
Click to expand...
Click to collapse
Come to think of it, if this exploit allows any kind of root, I suppose it'd be possible for Services itself to use that hole, and therefore be able to patch StageFright. A weird workaround, but entirely possible. Something tells me they won't use it, though, as technically feasable as it may be. I'm really hoping for that Xposed fix, just like GravityBox can patch FakeID. Which, indeed, Services eventually mitigated (for the most part).
commits on android.googlesource.com
Has anyone tracked any commits in android.googlesource.com related to stagefright?
Is this really a viable fix for this? I copied it from another website
If you turn off the following settings in your messaging app/apps on your device:
Auto-retrieve MMS. Check to automatically retrieve multimedia messages that you receive. If auto-retrieve is unchecked in your Messenger MMS settings, you must touch Download to view the message.
Roaming auto-retrieve. Check to automatically retrieve multimedia messages while roaming.
Then when you receive the text with this exploit it will not download to your phone unless you hit the download button. So looks like this can be turned off without a patch but patches are needed cause not everyone is smart enough to turn these off.
iverson3-1 said:
Is this really a viable fix for this? I copied it from another website
Auto-retrieve MMS. Check to automatically retrieve multimedia messages that you receive. If auto-retrieve is unchecked in your Messenger MMS settings, you must touch Download to view the message.
Roaming auto-retrieve. Check to automatically retrieve multimedia messages while roaming.
Then when you receive the text with this exploit it will not download to your phone unless you hit the download button. So looks like this can be turned off without a patch but patches are needed cause not everyone is smart enough to turn these off.
Click to expand...
Click to collapse
That should be one way to disable the hack. It's unclear from what I've read if it only affects Hangouts, or all SMS clients. What I've done is disable any auto MMS retrieve in my own messaging app, which in my case is mySMS. I suppose it couldn't hurt to do it in Hangouts as well.
This should cover it, but I think you still run the risk of someone you know sending (probably without their knowledge) an infected video -- much like trojans that take over a PC, and use the internal contact list to send mail as though they were your friend, they could exploit your trust.
Patching the build.prop theoretically protects from this, which I've personally done, but it's not for the faint of heart. If you screw it up, you could render your phone a mess. I wish I knew more about app development, because I would write something that did all this stuff automagically.
voxluna said:
Patching the build.prop theoretically protects from this, which I've personally done, but it's not for the faint of heart. If you screw it up, you could render your phone a mess.
Click to expand...
Click to collapse
Aaaaaand that's what I just did. I'm in a boot loop after changing the build.prop file. This is going to be really fun with an encrypted data partition that holds the backup I just made.
Be warned.
UPDATE: I had to reflash the ROM, and the entire experience took about 2.5 hours because I couldn't get a KDZ to work. I decided that since it was going to be a full wipe, at least I would upgrade to Lollipop, but I'll have to set up the entire phone all over again. I suspect the problem was that I didn't pay attention to the permissions of that file when I edited and transferred it from another machine. Ugh. I just went back and put warnings on all my posts about the build.prop lines.... and it would be better to just wait for patches, IMO. This thread is progressing quickly now.
i tried tracking the fix on android source repo. but the only recent commit against libstagefright is on July 7th.
Fix global-buffer-overflow in voAWB_Copy.
Copy() in frameworks/av/media/libstagefright/codecs/amrwbenc/src/util.c always
overreads the buffer by 4 bytes to the right, which, if we are very unlucky,
can even hit an unmapped memory page (in this case it is just a global
variable).
Click to expand...
Click to collapse
Hi all,
in my case, as I plainly don't use the MMS feature, I simpl deleted the MMS apn. Is this a possible workaround for this problem (at least, until it gets fixed somehow)?

Android/whatsapp hacked! Please help!

Hi, I really need some advice and help, please!
Someone hacked my galaxy note 8 (latest update of OS) using Bluetooth. Thereafter when I had Bluetooth turned off all the time I would sometimes found it had turned on again and at times a pic would randomly appear in my camera roll folder. I was targeted by a group of people and having recalled looking back I was encouraged to message through WhatsApp and I believe that chrome and Andoid webview extension were involved. They also got into my gmail and tried to delete my contacts and wipe my phone and whatsapp history. Aftert this I saw that a Linux device had been attached to my gmail account.
I then went to an iphone and received a whatsapp from someone and a pic appeared again in my camera roll. I believe they were trying to do the same again and not sure how effective it is on iOS.
But now I have a new galaxy note 8 and someone has sent me a pic and video. I don't know that they are involved and I think I'm being overly cautious, but I need to understand what they did before and what I can do to check if they have hacked my new phone and doing the same thing again, and what I can do now to ensure they don't do it. I'm worried now that if they have got into my new phone and WhatsApp, will they have been able to get my IMEI and is my new phone now permanently susceptible to attack?
If I wipe my phone back to factory settings and reinstall everything again and start a new whatsapp with a new number, will that work?
My MS surface has also been acting up and I'd like to know if there's an easy sign to check on there too.
Thanks so much in advance!
phoenix79802 said:
Hi, I really need some advice and help, please!
Someone hacked my galaxy note 8 (latest update of OS) using Bluetooth. Thereafter when I had Bluetooth turned off all the time I would sometimes found it had turned on again and at times a pic would randomly appear in my camera roll folder. I was targeted by a group of people and having recalled looking back I was encouraged to message through WhatsApp and I believe that chrome and Andoid webview extension were involved. They also got into my gmail and tried to delete my contacts and wipe my phone and whatsapp history. Aftert this I saw that a Linux device had been attached to my gmail account.
I then went to an iphone and received a whatsapp from someone and a pic appeared again in my camera roll. I believe they were trying to do the same again and not sure how effective it is on iOS.
But now I have a new galaxy note 8 and someone has sent me a pic and video. I don't know that they are involved and I think I'm being overly cautious, but I need to understand what they did before and what I can do to check if they have hacked my new phone and doing the same thing again, and what I can do now to ensure they don't do it. I'm worried now that if they have got into my new phone and WhatsApp, will they have been able to get my IMEI and is my new phone now permanently susceptible to attack?
If I wipe my phone back to factory settings and reinstall everything again and start a new whatsapp with a new number, will that work?
My MS surface has also been acting up and I'd like to know if there's an easy sign to check on there too.
Thanks so much in advance!
Click to expand...
Click to collapse
I do strongly advice you to do a full factory reset or go to the nearest technician if you don't know how to do it, to flash the phone from scratch inmediatly. Also try the best security app for android once you setup your device again. That's enough.
Enviado desde mi SM-G550T1 mediante Tapatalk
---------- Post added at 12:58 PM ---------- Previous post was at 12:52 PM ----------
I would also report the issue to the tech support of WhatsApp, if there's any. Also, change every passwords on your Google devices with more secure passwords, Google, banking, social. And do place a secure password to block your device. Good luck.
Enviado desde mi SM-G550T1 mediante Tapatalk
This is why I dislike Touchwiz, it's so outdated and vulnerable.
Just reflash your whole system, you can find guides on YouTube on how to flash a new firmware.
I would also recommend changing to a custom ROM with up to date security patches.
Edit: You should also change all your passwords to something very difficult like 'nJfi8t%Nc178c'
If you have difficulties remembering there's a lot of apps out there that can help, I personally use last pass, you should check it out.
davidzam said:
I would also report the issue to the tech support of WhatsApp, if there's any. Also, change every passwords on your Google devices with more secure passwords, Google, banking, social. And do place a secure password to block your device. Good luck.
Click to expand...
Click to collapse
If you were conned into downloading a webextension then this has nothing to do with whatsapp it has to do with the user. Conntact google security to change your account. In general if they hacked a phone the phone only is the problem but if they have access to all your info then it can always be a problem. About bluetooth always have at least a code between the devices (some BT keyboards do not even have this). Also look at the security update on the device if it is not the latest then swith to one of the custom roms here which are always secure.
As for passwords think of a sentence and use the first letters of each word incorperate numbers capital letters and a symbol this helps you to remember it.
For example
I Have A Dog Who Name Is Henry And I Love Him=IHADWNIHAILH
now change A for the & symbol one I for 1 and A for 4=1H4DWNIH&ILH
mix it up with some upper case and lower case (names)=1h4dwniH&Ilh
you can now add in other symbols or spell words such as [email protected] (too big so we will use only part @m )add ! after Henry and [] around &Ilh [email protected]![&ILH]
now you have a random easy to remember password. This password is the basis for all the security on android (at the current time) so even if you use a code it still unlocks with this and encrypts.
Applied Protocol said:
If you were conned into downloading a webextension then this has nothing to do with whatsapp it has to do with the user. Conntact google security to change your account. In general if they hacked a phone the phone only is the problem but if they have access to all your info then it can always be a problem. About bluetooth always have at least a code between the devices (some BT keyboards do not even have this). Also look at the security update on the device if it is not the latest then swith to one of the custom roms here which are always secure. As for passwords think of a sentence and use the first letters of each word incorperate numbers capital letters and a symbol this helps you to remember it. For example I Have A Dog Who Name Is Henry And I Love Him=IHADWNIHAILH now change A for the & symbol one I for 1 and A for 4=1H4DWNIH&ILH mix it up with some upper case and lower case (names)=1h4dwniH&Ilh you can now add in other symbols or spell words such as [email protected] (too big so we will use only part @m )add ! after Henry and [] around &Ilh [email protected]![&ILH] now you have a random easy to remember password.
Click to expand...
Click to collapse
Thanks for clarifying that fact for me.
Thanks so much! Would a custom firmware allow me to keep the use of knox? I'm thinking to flash it back to factory and only install and use everything from within knox.
Zep0th said:
This is why I dislike Touchwiz, it's so outdated and vulnerable.
Just reflash your whole system, you can find guides on YouTube on how to flash a new firmware.
I would also recommend changing to a custom ROM with up to date security patches.
Edit: You should also change all your passwords to something very difficult like 'nJfi8t%Nc178c'
If you have difficulties remembering there's a lot of apps out there that can help, I personally use last pass, you should check it out.
Click to expand...
Click to collapse
Applied Protocol said:
If you were conned into downloading a webextension then this has nothing to do with whatsapp it has to do with the user. Conntact google security to change your account. In general if they hacked a phone the phone only is the problem but if they have access to all your info then it can always be a problem. About bluetooth always have at least a code between the devices (some BT keyboards do not even have this). Also look at the security update on the device if it is not the latest then swith to one of the custom roms here which are always secure. As for passwords think of a sentence and use the first letters of each word incorperate numbers capital letters and a symbol this helps you to remember it. For example I Have A Dog Who Name Is Henry And I Love Him=IHADWNIHAILH now change A for the & symbol one I for 1 and A for 4=1H4DWNIH&ILH mix it up with some upper case and lower case (names)=1h4dwniH&Ilh you can now add in other symbols or spell words such as [email protected] (too big so we will use only part @m )add ! after Henry and [] around &Ilh [email protected]![&ILH] now you have a random easy to remember password.
Click to expand...
Click to collapse
Just another question regarding Knox Secure Folder.
If I were to install and run everything through the secure folder and I were to be compromised again through a web extension, would that then all hackers to view everything on my phone again regardless of whether it's in the knox environment or outside? Would a backdoor like that work into the secure environment as it did in my normal android system?
Thanks again!
phoenix79802 said:
Just another question regarding Knox Secure Folder.
If I were to install and run everything through the secure folder and I were to be compromised again through a web extension, would that then all hackers to view everything on my phone again regardless of whether it's in the knox environment or outside? Would a backdoor like that work into the secure environment as it did in my normal android system?
Thanks again!
Click to expand...
Click to collapse
If your knox is still working and not tripped then that would be a good idea. However understand that the way to get in and out of knox still relies on encryption methods see CVE-2016-1919 as well as the kernel level security CVE-2016-6584 see also https://googleprojectzero.blogspot.com/2017/02/lifting-hyper-visor-bypassing-samsungs.html, this means that if the key or encryption method is faulty you can get around it and the kernel is more complicated but will also do the same thing. The last way is to access a shared resource such as a clipboard that has access to both places a example of this is CVE-2016-3996. And CVE-2018-9142. Granted most of these are 2017 and 2018 and a quick look at the samsung CVA at https://www.cvedetails.com/vulnerability-list/vendor_id-822/Samsung.html does not have anything for Oreo this can be since until recently only the 9s' had it. But their is a recurring theme that the CVAs' are repeated out of the last 5 4 are repeated and some are simple mistakes (look at Googles project zero above in KALSAR). The question is is this enough and the answer is probably but a security orientated Rom might be a better bet. (I know this is not fair since they do not have CVAs). But a full wipe and fresh install should be enough. Add in a firewall too if you did not have that already.
phoenix79802 said:
Thanks so much! Would a custom firmware allow me to keep the use of knox? I'm thinking to flash it back to factory and only install and use everything from within knox.
Click to expand...
Click to collapse
Sorry for the late reply, but Knox, in my opinion is super vulnerable, new android versions are safe enough.
And no, using a custom ROM would not have Touchwiz integrated nor Knox. Why? Because it will most likely be running stock android vanilla.
More secure than Samsung's Touchwiz, recommend something like LineageOS.
Zep0th said:
Sorry for the late reply, but Knox, in my opinion is super vulnerable, new android versions are safe enough.
And no, using a custom ROM would not have Touchwiz integrated nor Knox. Why? Because it will most likely be running stock android vanilla.
More secure than Samsung's Touchwiz, recommend something like LineageOS.
Click to expand...
Click to collapse
Look this depends on your perspective
FACT: knox is a hardware based security system which is unique to Samsung
FACT: Samsung phones are the most sold
FACT: The maker of the hardware has the resources to secure it better
Therefore Samsung knox is more secure and yes more users using the phone make it more advantageous to crack it. However Samsung to their credit does try to increase security in other ways such as using the TrustZone more and SEAndroid policy strengthening. Lineage is a great choice however knox which will be tripped and ever if not it needs custom software to run AFAIK. Also samsung is DoD approved see DoD list and news article. This is not necessarily a good indication of overall security but it dos put things in a good perspective (DoD do not patch themselves rather rely on the developers and stay on top of things) Really high security Android OS such as copperhead also have such improvements as Knox (way better if you look carefully) but they are limited on what phones it will work on. Also Android 8 is a lot more secure but fact of the matter is the best party that can secure a Samsung phone is Samsung but I am not saying they do. I would recommend Stock Samsung but if you need a custom rom lineage is a good choice this is true also in terms of power (used to be snapdragon charging on a rooted phone is only up to 80% but I think there is a fix) but in versatility a custom rom always wins and power saver settings can be better than the original.

(What are) Must have APPS and To-Do to newbies to Galaxy S9+ (?)

Hey all.
Within a couple of days I'm getting my new Galaxy S9+ (Exynos) phone.
I made a year break from Android and switched to Apple, and now I'm back.
Unfortunately, I know nothing about newest Galaxy phones.
Maybe anyone has suggestions what should I do (download) when I'll set-up my phone (I've watched all the reviews of "must have" etc., don't suggest me to do that)?
I used to root and unlock bootloader for each my android phone, but I won't do that to my Galaxy S9+ at least for 6 months.
Hence, many root apps not working: "AdAway", "Viper4Android" etc.,
Maybe anyone knows Ad Blocking app without rooting a phone?
Or just mention anything that newbie to Galaxy S9+ should know.
(If you're wondering why am I "spamming" with these "stupid" questions: And no, I didn't find any similar thread to this)
Thanks in advance!
I use to root and rom all my phones, but I don't think it is as necessary as before.
I also use to download all the tweaks, but I don't do that either.
Non-root to block adds try Blokada it is in the F-Droid store.
It is Free and it Works.
I also swear by ES File Explorer to view and move files on your app. Also to sync any cloud storage you have.
If you have a regular phone number and google voice number going to the same phone
Voice Choice 2.0 is a nice app that allows you to make calls with a specific number
i.e. family and close friends have you carrier number
work partners, resume, business line has your google number
when you make a call you don't have to select anything, based on your rules set up it will dial out using the appropriate number.
re
qnc said:
I use to root and rom all my phones, but I don't think it is as necessary as before.
I also use to download all the tweaks, but I don't do that either.
Non-root to block adds try Blokada it is in the F-Droid store.
It is Free and it Works.
I also swear by ES File Explorer to view and move files on your app. Also to sync any cloud storage you have.
If you have a regular phone number and google voice number going to the same phone
Voice Choice 2.0 is a nice app that allows you to make calls with a specific number
i.e. family and close friends have you carrier number
work partners, resume, business line has your google number
when you make a call you don't have to select anything, based on your rules set up it will dial out using the appropriate number.
Click to expand...
Click to collapse
Thanks! Maybe you know anything about removing / disabling Bloatware as well?
LaurynasVP said:
Thanks! Maybe you know anything about removing / disabling Bloatware as well?
Click to expand...
Click to collapse
check out this thread at your own risk. It works I disabled Facebook (don't see why that would be on and unlocked phone fro Samsung, but i digress)
https://forum.xda-developers.com/galaxy-s9-plus/how-to/s9-s9-bloatware-removal-thread-g960u-t3817810
Be careful with the commands and understand what is being done before you hit the enter/return key
Good thing about disabling is if you fubar the phone you can do a factory restore and start all over
I only disabled Facebook. will investigate the other software as i play with the phone. Only had it 2 weeks so far.
re
qnc said:
check out this thread at your own risk. It works I disabled Facebook (don't see why that would be on and unlocked phone fro Samsung, but i digress)
https://forum.xda-developers.com/galaxy-s9-plus/how-to/s9-s9-bloatware-removal-thread-g960u-t3817810
Be careful with the commands and understand what is being done before you hit the enter/return key
Good thing about disabling is if you fubar the phone you can do a factory restore and start all over
I only disabled Facebook. will investigate the other software as i play with the phone. Only had it 2 weeks so far.
Click to expand...
Click to collapse
Thanks, I'll keep everything in mind

Categories

Resources