The Android Stagefright Exploit, and what you should know..

V_R

¯\_(ツ)_/¯
Moderator
Joined
Jan 31, 2005
Messages
13,572
Reaction score
1,888
This is something that needs to be known, if you've not heard of it already, Read on.

http://www.androidcentral.com/stagefright

"In July 2015, security company Zimperium announced that it had discovered a "unicorn" of a vulnerability inside the Android operating system. More details were publicly disclosed at the BlackHat conference in early August — but not before headlines declaring that nearly a billion Android devices could potentially be taken over without their users even knowing it.

What is Stagefright?
"Stagefright" is the nickname given to a potential exploit that lives fairly deep inside the Android operating system itself. The gist is that a video sent via MMS (text message) could be theoretically used as an avenue of attack through the libStageFright mechanism (thus the "Stagefright" name), which helps Android process video files. Many text messaging apps — Google's Hangouts app was specifically mentioned — automatically process that video so it's ready for viewing as soon as you open the message, and so the attack theoretically could happen without you even knowing it.

Because libStageFright dates back to Android 2.2, hundreds of millions of phones contain this flawed library.

New Stagefright details as of Aug. 5
In conjunction with the BlackHat conference in Las Vegas — at which more details of the Stagefright vulnerability were publicly disclosed — Google addressed the situation specifically, with lead engineer for Android security Adrian Ludwig telling NPR that "currently, 90 percent of Android devices have a technology called ASLR enabled, which protects users from the issue."

This is very much at odds with the "900 million Android devices are vulnerable" line we have all read. While we aren't going to get into the midst of a war of words and pedantry over the numbers, what Ludwig was saying is that devices running Android 4.0 or higher — that's about 95 percent of all active devices with Google services — have protection against a buffer overflow attack built in.

ASLR (Address Space Layout Randomization) is a method that keeps an attacker from reliably finding the function he or she wants to try and exploit by random arrangement of memory address spaces of a process. ASLR has been enabled in the default Linux Kernel since June 2005, and was added to Android with Version 4.0 (Ice Cream Sandwich).

How's that for a mouthful?

What it means is that the key areas of a program or service that's running aren't put into the same place in RAM every time. Putting things into memory at random means any attacker has to guess where to look for the data they want to exploit.

This isn't a perfect fix, and while a general protection mechanism is good, we still need direct patches against known exploits when they arise. Google, Samsung (1), (2) and Alcatel have announced a direct patch for stagefright, and Sony, HTC and LG say they will be releasing update patches in August.

So should I worry about Stagefright or not?
The good news is that the researcher who discovered this flaw in Stagefright "does not believe that hackers out in the wild are exploiting it." So it's a very bad thing that apparently nobody's actually using against anyone, at least according to this one person. And, again, Google says if you're using Android 4.0 or above, you're probably going to be OK.

That doesn't mean it's not a bad potential exploit. It is. And it further highlights the difficulties of getting updates pushed out through the manufacturer and carrier ecosystem. On the other hand, it's a potential avenue for exploit that apparently has been around since Android 2.2 — or basically the past five years. That either makes you a ticking time bomb, or a benign cyst, depending on your point of view.

And for its part, Google in July reiterated to Android Central that there are multiple mechanisms in place to protect users."
 

Becky

Webmistress
Joined
Mar 25, 2003
Messages
7,424
Reaction score
1,511
I hadn't read anything about this, so thanks for sharing :nod:
 

V_R

¯\_(ツ)_/¯
Moderator
Joined
Jan 31, 2005
Messages
13,572
Reaction score
1,888
I forgot to say in the OP...

The free app, called Stagefright Detector App, performs six checks for the bug and reports back. Users who are using a vulnerable device are advised to disable multimedia messaging (MMS) and to be careful about opening messages sent to them by unknown contacts.

Though I don't think the app is needed, fact is, your almost certainly have a vulnerable device, unless your running a custom ROM or a Nexus device.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top