If you’ve ever suffered from stage-fright in front of a large audience, you’ll know what a terrifying feeling it can be. It’s perhaps appropriate, then, that Android’s latest vulnerability exists in its media play-back engine, which is known as Stagefright, and the vulnerability is actually pretty terrifying.
This vulnerability requires only the victim’s phone number in order to execute remote code on that handset, and seeing as how Stagefright is present in every Android release since Android 2.2 (aka Froyo), the potential for things to go wrong is quite significant — just about every Android handset is potentially at risk. The bug in question was discovered by Zimperium zLabs, which will be discussing full details of the flaw at the Black Hat conference taking place in Las Vegas next week.
Why’s this so bad? Well, two reasons. One, the exploit doesn’t require any user interaction to implement. A victim need do absolutely nothing, and someone can execute code on their handset from afar. The example given involves sending a simple MMS to the user which can delete itself, but it could do an awful lot before that.
Zimperium zLabs vice president Joshua Drake said:
It’s a nasty attack vector.
The problem is that Stagefright is an over-privileged application with system access on some devices, which enables privileges similar to apps with root access. Stagefright is used to process a number of common media formats, and it’s implemented in native C++ code, making it simpler to exploit.
On some devices, [Stagefright] has access to the system group, which is right next to root—very close to root—so it should be easy to get root from system. And system runs a lot of stuff. You’d be able to monitor communication on the device and do nasty things.
That process, you would think, would be sandboxed and locked down as much as it could because it’s processing dangerous, risky code, but it actually has access to the Internet. Android has a group enforcement where it allows [Stagefright] to connect to the Internet. This service is on all Android devices. I’d rather not have a service that’s doing risky processing have Internet access.
The second major issue is that software updates for older Android devices are basically non-existent. More than 85% of Android devices are running a version behind the latest major release (Android 5.0), and about 25% are lower than Android 4.2, at which point a number of exploit mitigations were introduced into Android’s code.
How can you protect yourself from such an attack?
Protection against the SMS/MMS attack vector might be fairly trivial, depending on which SMS application you use.
- If you use Google Messenger, under Settings -> Advanced Settings, you can disable auto-retrieve MMS. By doing so, and not downloading MMS from anyone you don’t trust, you reduce the risk significantly.
- Google Hangouts has a similar option under Settings -> SMS.
- LG’s G4 (for example) using LG’s own Messaging application. Under Settings -> Multimedia Messages, you can disable auto-receive.
- Sony’s Xperia Z3 Messaging app has the same option under Settings, called MMS auto download.
- Samsung’s Messages app has the option under More -> Settings -> More Settings -> Multimedia -> Auto Receive.
The option is likely present on many other SMS apps, but these are the ones we can check immediately. There are likely other attack vectors as well, though MMS is the one that has been spoken about publicly thus far, and it’s certainly the most risky.
We’ll bring you more about this vulnerability once it becomes known. In the meantime, be careful who you open MMS from!