Fallout from the Android Stagefright OTA Update: Trustlook Mobile Security Memory Boost Stays alive while other Task Management Apps are Left Disabled

Google addressed the Stagefright bug by solving and rapidly releasing the Android 5.1.1 Stagefright fix. However the fix broke the widely used “recent activity” log access for the developer community. As a result, the Stagefright “fix” disabled many popular task management, parental control and app-locker android applications. The Trustlook team moved quickly with a timely update of the Trustlook Mobile Security application. “Memory Boost”, our task management feature continued to work as normal for millions of our users while others’ remain disabled.

The Nexus 6 Phone screenshot below shows all is A-OK. Users can continue to keep their Android devices running in tip-top shape.

The story started from the Black-Hat 2015 (08/01-08/06), when an exploit called Stage-fright was revealed to the public as a threat to over 95% Android devices. The Stage-fright exploit utilizes the media-play library of Android operating system and executes malicious code embedded in multi-media files. Later on 08/12/2015, Google released the OTA for the stage-fright bug to fix Stage-fright.

Immediately after the users updated their Nexus 6 phones, they found:

review

As shown in the red box of the right-bottom part of the screenshot, the user of a famous Task Killer app with 50 Million to 100 Million download counts stated : “Latest update for Android 5.1.1 killed this app. …”

To further investigate the Android OTA update, we researched the top 10 Task Killer apps in Google Play and were shocked that ( as late as 08/14/2015 ) all apps which are supposed to kill other unauthorized processes were actually ‘disabled’ by the OTA update.

Here are a few examples of the most popular ones:

The aforementioned Advanced Task Killer App , which has more than 50 Million downloads:

Screenshot_2015-08-17-17-20-32

Exactly as described by the review, the app failed to access any of the processes in the memory:

Screenshot_2015-08-17-15-29-48

 

Here is another example:

Screenshot_2015-08-17-17-14-18

Zapper Task Killer & Manager with more than 1 Million downloads was developed by a renowned mobile antivirus vendor. The process killer feature was blocked after the Android OTA update. Therefore, no process other than Zapper itself was recognized while several apps and games were still running in the operating system, which means that Zapper failed to access any recently apps, not to say forces them destroy.

Screenshot_2015-08-17-15-37-10

The root cause of the problem is the new permission requirement of the ActivityManager.getRunningAppProcesses() method in Android 5.1.1 version. In the Android OTA update, the PERMISSION.REAL_GET_TASKS needs to be proposed and granted by user in order to get the full list of tasks and processes.

CONCLUSION

From this series of stories with Stagefright, OTA and Task Killer, we can see that : due to the open-sourced nature of the Android Open Source Project (AOSP), vulnerabilities and exploits were discovered only a few days ahead of the real zero-day attacks. Thus, the community is patching the Android operating system at a much faster speed and might require subsequent patches from the third party developers and antivirus vendors. In this evolving environment, the best strategy of Android users is:

1. to keep an keen eye on safety updates of both Android OS and Antivirus apps,

2. to always use the most updated versions to protect the devices and the data.

 

Please contact support@trustlook.com for comments.

Authors: Jinjian Zhai, Tianfang Guo, Weimin Ding, Wilson Ye

 

 

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s