Earlier this year, Google was warned about critical vulnerabilities, dubbed Stagefright, in Android's media library by security firm Zimperium which opens an estimated 950 million Android devices to attacks. While Google is still scrambling to fix the flaws, Zimperium has now made the code to exploit the vulnerabilities available to the public.
Image: Family O'Abé
The Stagefright bug originates from Android's media playback engine, libstagefright, and it allows hackers to gain control of vulnerable Android devices to execute malicious code at multiple entry points and users would be none the wiser. Zimperium was the first to pick up on the security flaws and told Google about it four months ago. While Google and its mobility partners have taken steps to patch up the critical flaws they have not been successful in completely fixing the issue.
Having given Google a deadline to remedy Stagefright, Zimperium has just published its exploit of the bug to the world. The software uses Python Script to generate an MP4 exploiting the most critical vulnerability in the Stagefright media library and provides attackers with a reverse command shell. Once that's done, attackers can do all sorts of things with the compromised Android device such as take pictures or listen to the microphone remotely.
Zimperium has prefaced that the exploit has only been tested on a Nexus running Android 4.0.4. so it may not work on all Android devices. It definitely doesn't work on devices running Android 5.0 or above.
So why has Zimperium released the exploit? So that security teams, IT administrators and penetration testers can test whether or not systems are still vulnerable, according to the company. It also gives Google, its device manufacturer and telco partners a firm kick up the bum to get cracking on fixing Stagefright.
But no doubt attackers will be taking advantage of this exploit as well: let's hope Android users will receive all the necessary patches for Stagefright very soon.
[Via Zimperium Blog]