STAGEFRIGHT- a vulnerability that made tech giants sleepless
WHAT IS STAGEFRIGHT?
Stagefright is a serious vulnerability found in Android's
media processing service. The Android service that processes multimedia files
has been the source of some vulnerabilities. In recent time, including a new
one that could give rogue applications access to sensitive permissions to
access the data.The vast majority of Android phones can be hacked by sending
them a specially crafted multimedia message (MMS).
WHO DISCOVERED?
This latest vulnerability in Android's media server
component was discovered by security researchers from antivirus firm Trend
Micro and Joshua Drake,vice president of platform research and exploitation at
mobile security firm Zimperium.
BRIEF ME ABOUT THIS:
Drake developed the dangerous exploit that only requires
knowing the victim’s phone number. He found multiple vulnerabilities in a core
component called Stage fright which
is used to process, play and record multimedia files. Some of the flaws allow
for remote code execution and can be triggered when receiving an MMS message,
downloading a specially crafted video file through the browser or opening a Web
page with multimedia content.There are many potential attack vectors because
whenever the Android OS receives media content from any source it will run it
through this framework. The library is not used just for media playback, but
also to automatically generate thumbnails or to extract metadata from video and
audio files such as length, height, width, frame rate, channels and other
similar information.
This means that users don’t necessarily have to execute
malicious multimedia files in order for the vulnerabilities to be exploited.
The mere copying of such files on the file system is enough.The researcher
isn’t sure how many applications rely on Stage fright, but he believes that
just about any app that handles media files on Android uses the component in
one way or another.The MMS attack vector is the scariest of all because it
doesn’t require any interaction from the user; the phone just needs to receive
a malicious message.
For example, the attacker could send the malicious MMS when
the victim is sleeping and the phone’s ringer is silenced. After exploitation
the message can be deleted, so the victim will never even know that his phone
was hacked.The researcher didn’t just find the vulnerabilities, but actually
created the necessary patches and shared them with Google in April and early
May. The company took the issues very seriously and applied the patches to its
internal Android code base in a quick time.That code gets shared in advance
with device manufacturers that are in the Android partnership program, before
it’s released publicly as part of the Android Open Source Project (AOSP).Unfortunately, due to the generally slow
pace of Android updates, over 95 percent of Android devices are still affected.
According to Drake, Even among Google’s Nexus line of
devices, which typically get patches faster than those from other
manufacturers, only recently launched the Nexus 6 has received some of the fixes
so far.That’s because manufacturers have to first pull Google’s code into their
own repositories, build new firmware versions for each of their devices, test
them and then work with mobile carriers to distribute the updates. Devices
older than 18 months generally stop receiving updates entirely, leaving them
vulnerable to newly discovered issues indefinitely.The vulnerabilities affect
devices running Android versions 2.2 and higher, which means that there are a
huge number of devices that will probably never receive patches for them.The
researcher estimates that only around 20 to 50 percent of the Android devices
that are in use today will end up getting patches for the issues he found. He
noted that 50 percent is wishful thinking and that he would be amazed if that
happened.
What attackers can do after they exploit these
vulnerabilities can vary from device to device. Their malicious code will be
executed with the privileges of the Stagefright framework, which on some
devices are higher than on others. In general the attackers will get access to
the microphone, camera and the external storage partition, but won’t be able to
install applications or access their internal data.There is an estimation that
on around 50 percent of the affected devices the framework runs with system
privileges which makes it easy to gain root access and therefore complete
control of the device. On the rest of devices, attackers would need a separate
privilege escalation vulnerability to gain full access.
Since the patches for these flaws are not yet in Android Open
Source Project, device manufacturers that are not Google partners don’t have
access to them. It also means that third-party AOSP-based firmware like
CyanogenMod is still likely vulnerable. If we believe the resources then it is
said that the patches are shared privately with some other affected parties,
including Silent Circle and Mozilla.
Mozilla Firefox for Android, Windows and Mac, as well as
Firefox OS were affected by the flaws because they used a forked version of Stagefright.
My Device is Vulnerable?
There has been an application called- Stagefright Detector to check if your device is vulnerable or not.The
Result will be shown in format like CVE-2015-2838, CVE-2015-2839, and CVE-2015-2864.
How to protect from Stagefright
Vulnerability?
1.
Update your
device
2. Disable
Auto-fetching of MMS
3. If you have
Hangout SMS Enabled then in the Advanced uncheck Auto Retrieve MMS
Patches
for fixing the issue are soon going to be released to all device vendors-affected.
The Stagefright vulnerability was assigned with the
following CVEs:
- CVE-2015-3829
- CVE-2015-3828
- CVE-2015-6602
- CVE-2015-3864
- CVE-2015-3827
- CVE-2015-3876
- CVE-2015-3824
- CVE-2015-1538
Google suggested that Android devices also
include an application sandbox which is designed to protect user data and other
applications on the device.
[Screenshot of Gionee Elife E7 device]
- Ashish Chhatani
