If you’ve ever suffered from stage-fright in front of a large audience, you’ll know what a terrifying feeling it can be. It’s perhaps appropriate, then, that Android’s latest vulnerability exists in its media play-back engine, which is known as Stagefright, and the vulnerability is actually pretty terrifying.
This vulnerability requires only the victim’s phone number in order to execute remote code on that handset, and seeing as how Stagefright is present in every Android release since Android 2.2 (aka Froyo), the potential for things to go wrong is quite significant — just about every Android handset is potentially at risk. The bug in question was discovered by Zimperium zLabs, which will be discussing full details of the flaw at the Black Hat conference taking place in Las Vegas next week.
Why’s this so bad? Well, two reasons. One, the exploit doesn’t require any user interaction to implement. A victim need do absolutely nothing, and someone can execute code on their handset from afar. The example given involves sending a simple MMS to the user which can delete itself, but it could do an awful lot before that.
Zimperium zLabs vice president Joshua Drake said:
It’s a nasty attack vector.
The problem is that Stagefright is an over-privileged application with system access on some devices, which enables privileges similar to apps with root access. Stagefright is used to process a number of common media formats, and it’s implemented in native C++ code, making it simpler to exploit.
On some devices, [Stagefright] has access to the system group, which is right next to root—very close to root—so it should be easy to get root from system. And system runs a lot of stuff. You’d be able to monitor communication on the device and do nasty things.
That process, you would think, would be sandboxed and locked down as much as it could because it’s processing dangerous, risky code, but it actually has access to the Internet. Android has a group enforcement where it allows [Stagefright] to connect to the Internet. This service is on all Android devices. I’d rather not have a service that’s doing risky processing have Internet access.
The second major issue is that software updates for older Android devices are basically non-existent. More than 85% of Android devices are running a version behind the latest major release (Android 5.0), and about 25% are lower than Android 4.2, at which point a number of exploit mitigations were introduced into Android’s code.
How can you protect yourself from such an attack?
Protection against the SMS/MMS attack vector might be fairly trivial, depending on which SMS application you use.
- If you use Google Messenger, under Settings -> Advanced Settings, you can disable auto-retrieve MMS. By doing so, and not downloading MMS from anyone you don’t trust, you reduce the risk significantly.
- Google Hangouts has a similar option under Settings -> SMS.
- LG’s G4 (for example) using LG’s own Messaging application. Under Settings -> Multimedia Messages, you can disable auto-receive.
- Sony’s Xperia Z3 Messaging app has the same option under Settings, called MMS auto download.
- Samsung’s Messages app has the option under More -> Settings -> More Settings -> Multimedia -> Auto Receive.
The option is likely present on many other SMS apps, but these are the ones we can check immediately. There are likely other attack vectors as well, though MMS is the one that has been spoken about publicly thus far, and it’s certainly the most risky.
We’ll bring you more about this vulnerability once it becomes known. In  the meantime, be careful who you open MMS from!
Thank you for posting a level headed, intelligent article about this (Not that Ausdroid ever posts any other kind) and and a fix. Other sites *cough*gizmodo*cough* have decided fear mongering and jumping to conclusions is the best thing to communicate to their readership. I don’t know why I keep going back to that god-forsaken site.
It’s still all a bit vague at the moment, eg: “On some devices, [Stagefright] has access to the system group, which is right next to root—very close to root—so it should be easy to get root from system.” Some devices? Should be easy? Also on their blog post, it has screenshots showing that the vulnerability isn’t triggered (on Lollipop at least) until the user pulls down the notification shade or views the message. Right before they put in a plug for their own product which protects against this vulnerability… No doubt there’s a bug but it’s possible the actual risks… Read more »
Thankyou for being the only source that I have read this on that proposes some mitigation.
Install cyanogennmod. The nightlies for the past 2 weeks have had fixes.
Can’t, I need my phone to actually work! 😉
What device?
What build?
What’s broken?
I’ll look into it for you.
The latest builds have fixes when the issue has only just been announced and Google itself is yet to issue a fix?
Yes. We (i’m a CM developer) merged 2 weeks ago. Google has accepted the changes into the AOSP master.
I’m on a OnePlus One. I haven’t had any Cyanogen updates come OTA for a while. Will there be an OTA update for us?
Those OSes aren’t updated but I wonder if it isn’t fixable via Google Play Services, which has a batter update rate then any OS available (95% I believe).
Using Play Services to push out an update has been mused before, but Google is yet to do so.