AH StageFright Detector-2

Google Researchers Diminish Stagefright’s Main Defense

September 18, 2015 - Written By Ricardo Trevizo

Android has always been criticized by its overall lack of security for being the main and most important weak point of the whole mobile operating system; especially over the past few months, as one rather critical exploit was discovered buried inside Android’s core. The Stagefright vulnerability has been reported to be extremely harmful for almost all Android devices that still haven’t seen a patch specifically for this issue. Google only addressed this potential threat to all Android users a few times, when the company stated how it was already working on fixing the problem, and another one when a patch was actually released for the mobile OS source-code. Today, a couple of members of Google’s Project Zero vulnerability research team have expressed their concerns and thoughts about Android’s security throughout the system as a whole, and refuted one of the main points when talking about Android’s different vulnerabilities; and that is address space layout randomization.

Address space layout randomization had always served as a way to make Google’s own mobile OS’ security issues much less harmful than they actually are. Unfortunately, the company’s Project Zero vulnerability research team, has mitigated the power that the statement had. This has caused great concerns about Android’s overall security, as most public relations Google employees had used this key point when defending the OS’ defenses. Address space layout randomization was the go-to answer when Google employees were questioned about Stagefright, and noted that thanks to address space layout randomization, the different security issues that came with Stagefright were actually difficult to exploit.

According to the researchers at Google’s Project Zero, ASLR can be bypassed in a very straightforward manner. “We simply choose one of the 256 possible base addresses for libc.so, and write our exploit and ROP stack assuming that layout. Launching the exploit from the browser, we use javascript to keep refreshing the page, and wait for a callback. Eventually memory will be laid out as we expect, bypassing ASLR with brute force in a practical enough way for real-world exploitation”, the Project Zero researchers stated. It is now clear that the supposed defense against Stagefright exploits is not enough to feel secure against cyber attacks; but Google will hopefully address this issue sooner than later, fixing the critical status of Android’s security.