Zimperium on Monday revealed a stunning discovery by researcher Joshua Drake — a flaw in Android’s Stagefright media playback engine that could expose millions of mobile device users to attack without their having done anything.
Stagefright, which processes several popular media formats, is implemented in native code — C++ — which is more prone to memory corruption than memory-safe languages such as Java, according to Zimperium.
Stagefright has several remote code execution vulnerabilities that can be exploited using various methods, Zimperium said.
The worst of them doesn’t require any user interaction.
The vulnerabilities critically expose 95 percent of Android devices — about 950 million, by Zimperium’s count.
“Users of Android versions older than 4.1 are at extreme risk,” Drake told LinuxInsider.
The No-Touch Flaw
Attackers need nothing more than a victim’s mobile phone number to exploit the most dangerous Stagefright flaw, Zimperium said.
They can send a specially crafted media file delivered as an MMS message.
A fully weaponized, successful attack could delete the message before the user sees it, leaving only a notification that the message was received.
The victim wouldn’t need to take any action for the attack to be successful.
Zimperium reported the vulnerability to Google and submitted patches, which Google applied within 48 hours.
Users of SilentCircle’s Blackphone have been protected against these problems with the release earlier this month of PrivateOS version 1.1.7, Zimperium reported, and Mozilla’s Firefox for mobile, aka “Fennec,” includes fixes for these issues in v38 and later versions.
Google is coordinating with members of the Open Handset Alliance to get the issues addressed in official Android-compatible devices.
“We thank Joshua Drake for his contributions,” said Google spokesperson Elizabeth Markman. “The security of Android users is extremely important to us, and so we responded quickly — and patches have already been provided to partners that can be applied to any device.”
What’s Happening Now
If you’re an Android device user, expect nothing and prepare for trouble.
“Many carriers and manufacturers prefer to push patches out to customers themselves, if at all,” said Ken Westin, security analyst for Tripwire.
That means “even well after the patches are made public, more than half [of users] will still be vulnerable,” he told LinuxInsider.
Further, this vulnerability goes back to Android 2.2, which was released five years ago, Westin pointed out, so “some of these devices may not have patches available through their carriers as they are too old and are no longer supported.”
“This problem doesn’t show any signs of going away,” Drake said. “Even Nexus devices remain without a patch today, presumably because of this very problem.”
Tripwire so far has not seen any exploits of the Stagefright flaw in the wild, although “this can change very quickly now that the vulnerability has been exposed,” Westin said.
Android’s General Safety Overview
Most Android devices, including all newer devices, “have multiple technologies that are designed to make exploitation more difficult,” Google’s Markman told LinuxInsider. Android devices “also include an application sandbox designed to protect user data and other applications on the device.”
However, the jury’s still out on whether sandboxes can fully protect devices.
Bluebox last year discovered an Android design error it dubbed “Fake ID,” which let malware sneak by Android’s app sandbox and take control of other apps.
Google removed the Android webview Flash flaw from Android 4.4 KitKat, but 82 percent of devices couldn’t update to the new version of the OS because mobile carriers and manufacturers delayed or did not deliver the update, Bluebox said.
Staying Safe in the Malware Storm
Consumers “can stop using the Hangouts messaging app to mitigate some of the risk, but other than that, they will need to wait for an update,” Tripwire’s Westin said.
Applying strong authentication to critical apps could help Android users remain safe, Secure Channels CEO Richard Blech told LinuxInsider. Also, login credentials should not be kept on the device.
“Always use a currently supported mobile device,” Zimperium’s Drake suggested, and “keep your device updated to the latest version at all times.” If an update isn’t available, “manually install an OS like CyanogenMod that supports older devices for a longer period of time.”