Yesterday, stage fright became more than just a common phobia. It is now a very real security threat to most Android-based devices. Discovered by Joshua Drake at Zimperium zLabs, vulnerabilities uncovered in the Android-native media player allow attackers with access to an exposed Android phone’s number to gain control of the device using methods that do not require any user action. Attackers can trigger the playback of audio-visual content by sending vulnerable devices MMS messages or can simply kick off a Google Hangout to gain access to an Android device.
Once they have launched an exploit taking advantage of the Stagefright vulnerabilities, malefactors can initiate remote code execution (RCE) to run malware, extract data, and take over the device for a range of purposes, all without detection by users, operators, and by most Mobile Device Management (MDM) software used by companies to govern employee access to corporate networks.
The Zimperium team elaborated on the covert nature of this threat, stating,
Unlike spear-phishing, where the victim needs to open a PDF file or a link sent by the attacker, this vulnerability can be triggered while you sleep. Before you wake up, the attacker will remove any signs of the device being compromised and you will continue your day as usual – with a trojaned phone.
Shining a Spotlight on the Impact of Stagefright
Affecting an estimated 950 million Android-based phones and tablets, these security flaws are believed to be the worst Android vulnerabilities discovered to date.
Since Stagefright is a native Android application written in C++ (vs. the “Dalvik” Java dialect of most Android apps), it lacks the protection afforded by the normal runtime “sandbox” — running as a native Linux app vs. a Java application within a de-privileged virtual machine. These problems are exacerbated by being granted “excessive privileges” for file access and execution beyond what is actually necessary to play audio-visual content.
These vulnerabilities date back to Android version 2.2 and persist up to more recent, widely-deployed versions. While patches are available, these vulnerabilities are likely to persist for the foreseeable future, due to:
- Highly variable practices by both device manufacturers and operators in delivering updates over-the-air (OTA) to devices in the field
- Huge version proliferation of Android software components, and manufacturer and channel-specific fragmentation of the Android platform itself. Between device models and versions, there can be hundreds of various incompatible instances of Android deployed at any one time; moreover, many Android-based devices are never updated at all during their fielded lifetimes
Yet, the impact of Stagefright can be partially mitigated by countermeasures like those in Samsung KNOX and other MDM software.
Steps We Can Take To Avoid Future Vulnerability ‘Frights’
Open Source Hygiene – actively ensuring the use and deployment of only the most up-to-date versions of open source code, while continuously cross referencing those components with databases of known vulnerabilities – is the most effective way to reduce overall code security risk.
The Stagefright situation is yet another example of a scenario that would benefit from Open Source Hygiene practices as a way to detect outdated and exposed versions in Android Bills-of-Material (BOMs). Device OEMs should always be monitoring the versions of integrated Android components, sourced from Google and the main Android project, from other community projects, and from third parties. Operators, for their part, can also apply Open Source Hygiene best practices and follow up with aggressive OTA pushes of patched and updated versions of the popular mobile platform.
Enterprise users of Android-based devices can also benefit from Open Source Hygiene. Black Duck can help companies identify vulnerable code.