Hi, I thought the Stagefright bug fix was included in some patch release, but now noticed it wasn’t applied until a major upgrade from 1.6 to Koala Nut 1.8.7 (see the announcement thread).
Do you think my phone might have become compromised? I haven’t noticed anything weird, but my mobile phone number is listed on the internet by a company that lists as much “private” information they can about everyone in my country.
Would a backup, factory reset, and restore, remove any … rootkit? that might have been installed by some attacker?
Or might a backup backup any rootkit files too, or an attacker’s evil files or apps — and then I’d restore them back again? (For example, perhaps the backup-restore would bakup-and-restore some evil startup script, so the phone would still be compromised, after the restore)
Best regards, KajMagnus
1 Like
Hi, well I don’t know to which extent the wholes are being actually exploited and therefore how realistic the risk is. Your phone number being listed by a service like that could also result from the fact that somebody else’s devices could have been compromised. Not necessarily due to libstagefright, but also simply just due to some malicious app.
Regarding backups: Of course, if you backup and restore, and an attacker has put some script on your device, you will back it up and restore it. But usually, most “dumb” rootkits tend to attack the system partition which is normally wiped during the system upgrade already. The safest strategy here would be to restore only non-executable files instead of your complete home directory (that is, pictures, phone call lists, contacts etc.).
Looking at it more theoretically, you might know that a smartphone usually has has around 10-25 separate partitions, most of them writable by any attacker with root rights - check out /proc/partitions (by running ‘cat /proc/partitions’ via adb or from a terminal emulator) to get a list of them. By the system update and backup/restore we are talking only about three partitions (userdata, cache, system) being wiped and restored, the others aOfre normally never written to. Although they contain only proprietary stuff like the radio firmware for which an attacker would need very advanced knowledge to exploit them for installing a rootkit, I would not generally rule out this possibility. Therefore - if you want to gain more confidence - better dump these partitions to files (e.g. using adb pull) and compare their checksums to the ones of other fairphone users. Please be aware though that some checksums will probably mismatch because things like the mac address of your wifi card or your IMEI number might be stored in one of them.
So far, the theoretical options. Practically, if your system has really been compromised (which is hard to tell), you will remove probably more than 98% of all known rootkits (my personal assumption, not based on any facts) by factory reset and restore.
3 Likes
Hi Kuleszdl,
Thanks for the detailed information. I’ve had a closer look at how a money related app on my phone works, and seems it’s safer than what I previously thought. So I think I’ll leave the phone as is.
Re the phone numbers being listed: Seems there’s a misunderstanding. In fact the website has existed for many years. It fetches peoples address and phone numbers and everything else they can publish without getting sued, and publishes on the internet. So they don’t get their data from the Stagefright bug — I mentioned the site, because it allows other people to get my phone number, and in that way makes the Stagefright attack possible / easier.
(Ok, seems like a good idea to restore only pictures, phone call lists, contacts etc., if some day in the future I want to backup-restore.)
Hi, I am scratching my head too. I have Koala Nut 1.8.7, but Stagefright Detector from ZIMPERIUM v.5.1 tells I am vulnerable (gaps CVE-2015-3876 and CVE-2015-6602).
Any informations about this?
See this post, and my post below it.