Vulnerability in Stagefright could expose 95 percent of Android devices to risk
Although you may not have heard of it, Stagefright is at the heart of the Android operating system. It's a media library that processes several popular media formats. Since media processing is often time-sensitive, the library is implemented using native code (C++) that is more prone to memory corruption than memory-safe languages like Java.
Researchers at mobile security company Zimperium have uncovered an issue in the Stagefright code that they believe to be one of the worst Android vulnerabilities to date.
Zimperium zLabs VP of Platform Research and Exploitation, Joshua J Drake, carried out the research which will be presented at Black Hat USA on August 5. The study found multiple remote code execution vulnerabilities in Stagefright that can be exploited using various methods, the worst of which requires no user-interaction. These issues could critically expose 95 percent of Android devices, an estimated 950 million units worldwide.
"Attackers only need your mobile number, using which they can remotely execute code via a specially crafted media file delivered via MMS." says Drake. "A fully weaponized successful attack could even delete the message before you see it. You will only see the notification. These vulnerabilities are extremely dangerous because they do not require that the victim take any action to be exploited. Unlike spear-phishing, where the victim needs to open a PDF file or a link sent by the attacker, this vulnerability can be triggered while you sleep. Before you wake up, the attacker will remove any signs of the device being compromised and you will continue your day as usual -- with a trojaned phone".
Android versions after and including version 2.2 Froyo are vulnerable. Devices running Android versions prior to Jelly Bean (roughly 11 percent of the total) are at the worst risk due to inadequate exploit fixes.
Zimperium reported its discovery to Google and also submitted patches. Google has acted promptly and applied these patches to internal code branches within 48 hours, but that's only the start of what will be a very lengthy process of update deployment.
Fixes for these issues require an OTA firmware update for all affected devices. Such updates for Android devices have historically taken a long time to reach users. Devices more than 18 months old are unlikely to receive an update at all.
Drake says, "We hope that members of the Android ecosystem will recognize the severity of these issues and take immediate action. In addition to fixing these individual issues, we hope they will also fix any business processes that prevent or slow the uptake of such fixes".
Two groups are already protected against the reported issues. Users of SilentCircle's Blackphone have been protected as of the release of PrivatOS version 1.1.7. Mozilla's Firefox, which is also affected, has included fixes for these issues since version 38.
Zimperium advises users and enterprises to contact their device manufacturer and/or carrier to find out whether or not their device has been updated with the necessary patches.