Blog Feature

By: Andy Sherman on July 28th, 2015

Print/Save as PDF

Stagefright Vulnerability Affects 95% of Phones

End User Devices and Services | Cyber Security

Vulnerability

Stagefright VulnerabilityOn Monday, Zimperium Inc, a maker of mobile security solutions, announced that their security researcher Joshua J Drake (@jduck), had discovered a serious vulnerability in the Stagefright library in Android that allows for arbitrary remote code execution, which could be triggered just by sending a MMS message. (Related coverage here, and here.) Stagefright is Android’s library for handling certain types of media files. According to Zimperium

Attackers only need your mobile number, using which they can remotely execute code via a specially crafted media file delivered via MMS. A fully weaponized successful attack could even delete the message before you see it. You will only see the notification. These vulnerabilities are extremely dangerous because they do not require that the victim take any action to be exploited. Unlike spear-phishing, where the victim needs to open a PDF file or a link sent by the attacker, this vulnerability can be triggered while you sleep. Before you wake up, the attacker will remove any signs of the device being compromised and you will continue your day as usual – with a trojaned phone.

Zimperium have shown a demonstration of how this works in their post

Stagefright Vulnerability

Scope

This vulnerability affects all versions of Android from 2.2 to the current Android Lollipop 5.1.1 release, which is about 95% of all currently active Android devices, or about 950 million of them. That’s a huge attack surface. And because of the way that Android is distributed, most of those won’t get patched any time soon.

Zimperium included patches in their bug reports to Google, who immediately accepted them. Those patches are now available.  However virtually all Android users depend on device manufacturers, or in some cases carriers, to provide the patch. To date, only the ultra-secure Blackphone has been patched. Users of Android devices older than 18 months may never see a patch.

Interestingly enough, this vulnerability also affected Firefox on all platforms other than Linux, including FirefoxOS. As of version 38 that’s been patched.

Remediation

Check with your device manufacturer or carrier to find out when patches will be available for your handset or tablet. As soon as patches are available for your device, install them. It will most likely be in the form of an over-the-air firmware update. Make sure your copies of Firefox are all updated.

Other than that one thing your can do is turn off the auto-download of MMS messages feature and be extremely cautious about opening MMS messages, especially from unfamiliar numbers. Note that a friend’s compromised phone could also send you a nasty message, so knowing the sender is no guarantee of safety.

Zimperium makes an mobile intrusion prevention system, zIPS, that they claim stops this vulnerability, but I have no direct knowledge. While a vulnerability report that also promotes a product usually makes me uneasy, Zimperium have been incredibly responsible in their handling of this issue — Google would not have had patches so quickly without them.

Zimperium will be presenting more detail on their work at Black Hat and DefCon. I imagine their talks will be well attended.

About Andy Sherman

Andy Sherman, Eden Technologies’ security practice lead has a PhD in physics from Rensselaer Polytechnic Institute and started his career in the academic world. He then went to AT&T Bell Laboratories where he discovered the power – and hazards – of large distributed computer networks. It was also at Bell Labs, during the early days of the Internet, that Andy became interested in the security problems associated with public networks. From Bell Labs Andy moved to the financial services industry. There he worked on a large range of infrastructure design, deployment, and management projects, but is best known for his 15+ years in information and technology security.