The Android Stagefright bug is back and this time, the flaw allows an attacker to hack Android smartphones just by tricking users into visiting a website that contains a malicious multimedia file, either MP3 or MP4. More than 1 Billion Android devices are vulnerable to hackers. Security experts from Tripwire, Veracode and Rapd7 have the following comments on it.

[su_note note_color=”#ffffcc” text_color=”#00000″]Craig Young, Security Researcher at Tripwire :

“ASLR is not a secure coding technique but rather a feature provided by the operating system to block an important step in the exploitation process.  For example, with the initial stage fright release, Zimperium was not able to produce a fully functioning exploit against an up to date Android device because of ASLR. While ASLR can be bypassed (particularly on older devices like what Joshua Drake demonstrated for stagefright) it requires an additional vulnerable and a somewhat more sophisticated exploit writing process. It is important to note that Joshua Drake and Zimperium were only able to say that Stagefright v1 was ‘theoretically’ exploitable for remote code execution on an up to date Android Lollipop phone. Turning this from theoretical to practical is a process involving locating at least one additional vulnerability followed by a non-trivial effort to create a dynamic ROP exploit payload.

So in summary ASLR can and does generally prevent direct exploitation of memory corruption bugs like these but ASLR itself is not perfect. As demonstrated at Black Hat and DEF CON, for older versions of Android with a separate known vulnerability, it is possible to get around ASLR if the attacker can reveal memory addresses needed to calculate the location of so-called ‘ROP gadgets’.

Long story short, if you are targeted by a well-resourced attacker, it doesn’t matter what smartphone OS you use or how up to date you keep your device.  There will always be unpatched or unknown vulnerabilities and there is no way around that.  For the average user (i.e. those of us not tasked for government or law enforcement surveillance) sticking with a device receiving regular updates and being mindful of what apps you install will generally keep you one or more steps ahead of the attackers.  This is bad news for the huge numbers of Android owners with phones that will never receive updates just like it is bad news for consumers using iPhones no longer supported by Apple.

From my perspective, the open nature of Android and the encouragement from Google for community driven research are tremendous tools in democratizing the security of mobiles. While some companies hide behind NDAs and proprietary code, Android actively promotes research into security flaws. In my opinion, the open model makes it more likely that researchers finding critical bugs will disclose them publicly for recognition and even reward rather whereas the closed systems will tend to receive more focused attention from researchers looking for illicit profits from their research.”[/su_note]

[su_note note_color=”#ffffcc” text_color=”#00000″]Chris Wysopal, CISO and CTO, Veracode :

“The latest Stagefright revelations highlight a fundamental security issue that spans the entire software spectrum – developers unknowingly incorporating risk into their apps by not knowing the code libraries they incorporate have vulnerabilities. Stagefright is the default and expected way of handling media files in Android, so why wouldn’t a developer trust it?

Most developers are driven by the need to accelerate time-to-market so leveraging existing libraries and components is a common practice. Whenever software is built this way, you are inherently introducing risk that most developers don’t even know is there. In fact, our own research shows that three-quarters of all mobile apps fail basic security policies such as the Mobile OWASP Top 10.

Patching for Stagefright vulnerabilities seem to continue to be a challenge for the Android community. Google’s done a good job issuing updates, however, waiting for handset manufacturers or carriers to issue a patch has proven to be problematic since many of the 1.0 patches still haven’t been rolled out to end-users. Companies need to manage risk posed by both operating system and application threats using tools such as MDM platforms in conjunction with mobile application security software.”[/su_note]

[su_note note_color=”#ffffcc” text_color=”#00000″]Trey Ford, Global Security Strategist, Rapid7 :

“In June of last year, Google announced they have 1 Billion (with a capital B) active monthly users. This data point combined with other sites reporting the domination of Android in the mobile market— the projected scope of impact at 1 billion realistic.

“The challenge that the mobile community faces is somewhat tied to the lack of portability between carriers (at least in the United States). When you buy a handset from the carrier, that discounted purchase is subsidized by the carrier contract. The carriers have a custom software build, with their own ‘out of box experience’ with special licensing agreements, software features and promotions. This process exacerbates an already complex supply chain. Carriers have inadvertently complicated the hardware supply chain with additional software on multiple hardware platforms, making their quality assurance testing process extremely complicated and slow.

“The advice I give friends and family is to buy handsets that allow for updates directly from the manufacturer. For those who love Android – buy directly from Google to remove the carrier-introduced delay when Android releases a security patch. For Google, this is an ecosystem problem. Google manages Android, and does a respectable job shipping patches. They deliver  to the carriers (which in turns, the carriers take some time (picture 9-18 months) before those patches are certified and delivered over the air to the devices. In other cases, they don’t bother, as the handset life expectancy is so brief for the consumer.  Discerning consumers are paying attention, they want to keep their patches up to date!”[/su_note]

[su_note note_color=”#ffffcc” text_color=”#00000″]Mark James, IT Security Specialist at ESET :

How does this differ to previous Stagefright vulnerabilities?

“The first version of Stagefright required some information, namely your mobile number to be able to send the txt message to your device. This new version does not even need to know any of your information to be successful; merely visiting the website and previewing the malicious file could trigger the use of the vulnerability. This in theory enables a much wider audience and indeed could enable access to over 1 billion android devices.”

How does it work?

“When visiting the website and previewing the infected song or video file it could enable the attacker to gain access to your mobile device and run remote code, this code could in theory allow them full access to your device enabling them to do whatever they wish. This could include installing other malware or just harvesting your data for use in identity theft.”

What can users do before their update becomes available?

“You absolutely have to think before visiting websites, all too often people fail to understand their mobile devices are just as much at risk as their desktops. There are so many methods used these days for infecting the unsuspecting end user that you must think twice before clicking that link. We all know there is nothing for free in this world, everything comes at a cost and your private data is worth a lot more than a free music or video file.”[/su_note]

Notify of

1 Expert Comment
Most Voted
Newest Oldest
Inline Feedbacks
View all comments
Information Security Buzz
Would love your thoughts, please comment.x