Stagefright: Yes, It's Still a Vulnerability

AH Malware encryption data theft virus

Android has security flaws, news to hopefully nobody, especially owners of an Android device.  When the greater majority of the public heard about the Stagefright vulnerability within Android, and causing problems from versions 4.1 to 5.1, many panicked, while Google’s team was busy working to address the vulnerability.  Meanwhile, the group that found the vulnerability was busy trying every possible method to get more out of the vulnerability, to help create a better and more secure patch for the problem that plagued all current and last generation flagships.

Today, however, Google’s Project Zero group, which focuses on such security flaws as the Stagefright exploit, took a test run of the recent patches, and found some interesting stuff.  First, a recap of what this major flaw was, for those who haven’t heard the name in a bit.  The Stagefright exploit was a vulnerability in a file in the Android OS’s core that related to media playback.  When malicious code was sent to this file for execution, the Stagefright file would allow the code to run, and the device was essentially compromised.  The fix that the Project Zero group tested was address space layout randomization, ASLR for short, which randomized the spot that would let the malicious code execute using Stagefright.

ASLR, according to one Project Zero researcher, was able to prevent an assault on a test device running the latest patches for over an hour, which would allow for most users to get out of the website, Webview advertisement, or whatever place was trying to gain access to their device.  On the other end of the spectrum, the shortest time it took to get in was half a minute.  The math, for calculating the chances of access-gaining, go like this: there are 256 possible spots for the malicious code to get in, and each time, with ASLR, an attempt is made and failed, a randomization occurs.  Stagefright is coded to allow a reboot every five seconds, with that meaning that there are a total of twelve chances per minute to gain access.  Each of the twelve times has a 1 in 256 chance to succeed, making it roughly 4% of the time that a successful exploit instance occurs per minute.  4% sounds good, but that’s not quite all there is to this.

Google PR has been touting the ASLR security enhancement as a sort of end-all, be-all Stagefright protectant, while, as the math above, clearly shows otherwise.  No, your now-patched device isn’t invulnerable to a Stagefright exploit instance, but yes, it is much less likely to occur.  Something to keep in mind, in case you happen to browse in places that might very well try to utilize Stagefright’s vulnerability: Stagefright is part of media playback in Android, and each time it reboots and restarts, there will be a cut in audio playback, obviously.  Though it’s not surefire, and definitely isn’t the safest way to manage your device’s security and safety, if your audio doesn’t cut out, you’re probably in the clear.  Stagefright will no doubt be a talking point for a while to come, simply because it’s at the core of the Android OS, and a fix that would stop the audio cutout when the media process fails and reboots, but such fixes are the work of longer-term engineering rather than a quick-fix to stop most of the major threats’ entry ways.