A significant security flaw has been identified and exposed by Zimperium zLabs’ Vice President, Joshua J Drake. The flaw relies on a piece of media-showing library pieces of code called “Stagefright,” which is the name being given the the flaw. Essentially, the Stagefright code allows the device to read and display common file types such as PDFs, which may be sent to the device via MMS (multimedia messaging service – commonly known as a picture message). The exploit allows read data to silently install applications or scripts onto a device. Zimperium zLabs estimate that 95% of Android devices are potentially vulnerable to the exploit: Stagefright was introduced with Android 2.2 FroYo and Zimperium’s estimate covers devices from this era forwards. Joshua said this on the discovery: “As a result of hastily written code, there are a number of security vulnerabilities in Android devices. One piece of software in particular, called Stagefright, has errors in the code that lets attackers send malware directly to any device where they know the phone number.” There are reputedly one billion Android devices in the wild running Android 2.2 and later, so the estimated number of potentially vulnerable devices is 950 million.
Because these media files can be handled via the MMS, this means that a hacker knowing a target’s ‘phone number could run a Stagefright exploit as the user was asleep. The user does not need to open an attachment, a link or even the new multimedia message (depending on the messaging application used and its settings). This is different to most traditional Android hacking techniques, which rely on the target to click on a link and typically agree to any device prompts that appear. Once a hacker has been able to gain a foothold into a target device, the hacker has immediate access to many of the ‘phones applications and services: it would be relatively easy to delete the offending MMS (such that there is no obvious evidence of the attack), or visit a website and download more hacking applications. If this happens as the user is asleep, he or she could wake up not realizing that their device is compromised and carry on with their day.
So far, Zimperium zLabs has not witnessed any hackers attempting to exploit the bug. Meanwhile, Google has already creates patches to remove the exploit and is already distributing these to affected devices. Furthermore, whilst the Stagefright issue is tightly integrated into the operating system and gives immediate access to a lot of privileged systems, Android is not an open book when it comes to exploitation. By Google’s words, all newer devices (it is unclear how new this means) have layered systems and technologies designed to make hacking into the device much harder. Android contains an application sandbox, which is built to firewall user data and applications from one another. Stagefright doesn’t give hackers full control of the device, but it does make life easier for them.
As for Google fixing the vulnerabilities, Zimperium told Google about the issue earlier in the year (April and May are mentioned) with proposed fixes to the code, which Google accepted. Google’s statement that patches are being distributed does not make it clear if these are already on the devices in question. We understand that the Nexus 6 is secured against the Stagefright vulnerability, as is the Blackphone. HTC have confirmed that they are aware of the issue and started work on the patches earlier in this month; all new updates will contain the fix. Other manufacturers have so far remained silent and part of the issue is that not all messaging applications are vulnerable to the exploit: both Google’s Messaging and Hangouts applications are vulnerable (Hangouts more so), but Samsung’s own messaging application may not be. There are also many more devices still in use in the world today than are actively supported by the manufacturers.
Should we be worried? Should we tell the Hangouts application to no longer auto-retrieve MMS messages? Is it time to ask our manufacturer if they are going to introduce the fix soon? We have more questions than answers but burying our heads in the sand because no hacker has yet used the technology is not a sensible option. The 950 million figure quoted from Zimperium is an estimate and it is not clear what this is based on. Perhaps hackers were not aware of the exploit and if this is the case, they will be now. Unfortunately, this is a developing story and the technology press has a habit of digging up the scary sounding stories: we will let you know as soon as we are aware of any changes, especially of the manufacturers and carriers rolling out updates.