Earlier this year, Google was warned about critical vulnerabilities, dubbed Stagefright, in Android’s media library by security firm Zimperium which opens an estimated 950 million Android devices to attacks. While Google is still scrambling to fix the flaws, Zimperium has now made the code to exploit the vulnerabilities available to the public.
Image: Family O’Abé
The Stagefright bug originates from Android’s media playback engine, libstagefright, and it allows hackers to gain control of vulnerable Android devices to execute malicious code at multiple entry points and users would be none the wiser. Zimperium was the first to pick up on the security flaws and told Google about it four months ago. While Google and its mobility partners have taken steps to patch up the critical flaws they have not been successful in completely fixing the issue.
Having given Google a deadline to remedy Stagefright, Zimperium has just published its exploit of the bug to the world. The software uses Python Script to generate an MP4 exploiting the most critical vulnerability in the Stagefright media library and provides attackers with a reverse command shell. Once that’s done, attackers can do all sorts of things with the compromised Android device such as take pictures or listen to the microphone remotely.
Zimperium has prefaced that the exploit has only been tested on a Nexus running Android 4.0.4. so it may not work on all Android devices. It definitely doesn’t work on devices running Android 5.0 or above.
So why has Zimperium released the exploit? So that security teams, IT administrators and penetration testers can test whether or not systems are still vulnerable, according to the company. It also gives Google, its device manufacturer and telco partners a firm kick up the bum to get cracking on fixing Stagefright.
But no doubt attackers will be taking advantage of this exploit as well: let’s hope Android users will receive all the necessary patches for Stagefright very soon.
[Via Zimperium Blog]
Comments
4 responses to “Security Alert: Attack Code To Exploit Stagefright Bug On Android Is Now Public”
I don’t think this will solve the problem any faster (due to the carriers, and tonnes of old phones that no longer get or ever got updates) and only puts users at risk.
They would rather get another 15mins of fame in favor of end user security.
This is called ‘responsible disclosure’, and arguably does lead to the problem getting solved faster. It is a standard practice, and has nothing to do with 15 minutes of fame.
Often that is the case, in this case it isn’t, releasing the information will not help get vulnerable devices fixed faster in this instance, in the meantime they potentially screwed over millions of android users, hundreds of thousands of them possibly until they get new phone in a few years.
Even on an unpatched system, it is possible to avoid this vulnerability. There are plenty of guides/posts stating how.
Easiest method is to uninstall Hangouts, or at least disable automatic video downloading.