Android was believed to be a safe OS but last year in July 2015, Zimperium, a security firm publically announced that they have found the vulnerability in the codes of Android OS. This actually was a software bug found in all the devices running on Android version (2.2 Froyo) and above. The Bug allows the attacker to perform any sort of operation on victim’s device by remote code execution and privilege instruction.
What is “Stagefright” and why it is named so?
It’s a security issue of Android devices and is termed as Stagefright because most of the issues found have to do with the libstagefright. It’s a mechanism which helps Android, process video files. The attacker can remotely execute code via malicious email, website or even by an MMS. Most of the text messaging apps mainly the Google hangouts which automatically processes the videos even before actually being executed by the user may pose a severe threat as the attack may happen without the knowledge of the user.
After the announcement was made, within a month Google came up with a patch for this bug, mostly for the Nexus devices, but intelligence organization Exodus suggested that Google screwed up with the code.
Stagefright bugs count as a big deal since 900 million Android device users are vulnerable, but the deal is no such report of exploiting this bug has come up. Google made a statement that devices running above 4.0 Android version need nod to worry.
Later in October 2015 Zimperium released details of further vulnerabilities and termed them Stagefright 2.0. These are specially designed MP3 & MP4 files that execute their payload when opened by the Android Media server. The vulnerability is assigned an identifier CVE-2015-6602. It’s found in the core Android library called libutils, a component of Android throughout its entire life. Android 1.5 to 5.1 are vulnerable to this new attack. It’s estimated that nearly one billion devices are affected.
Still, there are no public examples of attacks, no such method ever have been used to exploit anything outside of lab conditions, and Zimperium is not planning to share the proof-of-concept exploit they used to demonstrate this issue to Google.
Google once again started uploading patches first for its Nexus lineup, then after for other Android devices.
It’s said that Straightfright is impractical in the wild to exploit, as most of the newer Android version contains ASLR as a straightforward protection.
Android devices with the security patch level of October 1, 2015, are relatively more protected as a fix released for this issue (CVE-2015-3864) last year. We always appreciate the security community’s research efforts as they help further securing the Android system for everyone.
What steps to be taken till patch arrives for your Android device?
The most key step is to make sure where you are browsing and whom you are connected to on the internet. Try to avoid public networks, even if you are connected to any stay away from the shady websites as they may suspiciously download media content on your device without your knowledge.
Finally, Google is doing its job done by timely uploading patches to resolve this bug. Also, the latest versions of Android, v5.1 and above come with Stagefright patch included.