Skip to main content

StageFright: Android's Heart of Darkness

DEEPLINKS BLOG
July 31, 2015

Earlier this week researchers with Zimperium Mobile Security announced that they had found a scary new vulnerability deep in the code that Android phones and tablets use to handle multimedia.

The code and the vulnerability are called StageFright. The researchers discovered that by sending a text message containing a specially crafted audio or video file they could execute arbitrary code on the victim's phone. Zimperium estimates that in 50% of cases the user wouldn't even have to open the text message for the exploit to work. In the other 50%, the exploit runs as soon as the user opens the message containing the malicious content. According to Zimperium, this vulnerability affects any Android device running version 2.2 or above regardless of manufacturer, which accounts for nearly every android phone in existence (95% according to Zimperium).

Unfortunately, Zimperium was very guarded about the details of the attack and, even more concerning, how to prevent it. Only on Thursday did Zimperium finally release further details about the exploit and what could be done to mitigate the risk, after admitting that they had talked to other security companies and believed that StageFright is now being exploited in the wild.

According to Zimperium, an attacker taking advantage of this exploit could gain either media or system privileges on the users phone. With media privileges the attacker could take video of their target, record audio, or listen to phone calls. They could also potentially root the victim's phone and do a lot more. With system privileges the attacker could do almost anything on the victim's phone.

How to protect yourself from StageFright

Fortunately there are some steps users can take to protect themselves from this vulnerability. The two best ways to protect yourself are to disable MMS messaging in your android device and make sure you install the latest updates for your phone. The steps needed to disable MMS messaging depend on which software you are using.

Disable MMS in Hangouts and the Default Messaging application

Steps to disable MMS in these applications can be found on Zimperium's blog post.

TextSecure

TextSecure users may be in luck! According to Moxie, founder of Whisper Systems (the company which makes TextSecure) “We don't do any pre-processing that involves stagefright....you'd have to physically tap on the media and then click through a warning about playing media insecurely before stagefright got involved.”

So if you have Textsecure installed you might be safe as long as you don't click any media messages.

Other texting apps

For other texting applications you should disable MMS messages and not view any audio or video messages that arrive, if at all possible. A quick Internet search should turn up the instructions you need.

Keep your phone up to date

Of course there may be other vectors to trigger the StageFright vulnerability that we don't yet know about. Just turning off MMS messaging might not be enough. The best way to protect your phone would be to keep it up to date with all of the latest security patches. Unfortunately, keeping your phone up to date, however, might turn out to be a bit trickier than you expect. Zimperium did tell Google about this vulnerability weeks before they announced it, and there is already a patch for the latest Android devices. Unfortunately, only a small fraction of Android devices will receive that patch in a timely manner. Some devices could take months or years to receive the patch, if they ever do at all.

This is due to a problem known as fragmentation, in which mobile phone manufacturers frequently modify the Android operating system however they like before putting it on a device to sell. As a result, any security patch has to be specially adapted (or at least vetted) by the phone manufacturer before it can be sent out to the manufacturer's phones. This is a huge problems for Android users, since phone manufacturers take a long time to review and release security patches, if they do at all. In fact, a phone you bought just a year ago may never receive patches for massive security problems such as StageFright.

Fragmentation also has socioeconomic implications. Older and cheaper phones tend to run older versions of the Android operating system, and vendors often give up supporting them or updating the software running on them. On the other hand newer and more expensive phones tend to receive updates faster and more reliably (especially Google Nexus devices). This results in a situation where those who can't afford top end phones are left vulnerable to massive security issues, potentially for years, while those who can afford a top end phone can be assured that they will be protected in a timely manner.

In the end, it is Google that needs to fix this issue. Google has already taken some steps to try to solve the fragmentation problem, such as moving some core Android functionality into Google Play Services which can easily be updated, and requiring manufacturers to use newer versions of the operating system when they build a device. While these changes may help Google solve some aspects of the fragmentation problem, it does not help patch core operating system issues, such as StageFright. It is commendable that a patch has been released for StageFright so quickly. Now it is the responsibility of Google and device manufacturers to ensure that this patch is made available to every Android user, old phone or new.  

Related Issues

JavaScript license information