One of the scariest of all Android vulnerabilities, made headlines this summer when it came to light that Android phones could be hacked with a simple text. The series of bugs, known simply as Stagefright, named after the media library where the vulnerability originates, is back in the spotlight with two new bugs.
When the vulnerability was first discovered in July, security researchers warned that it enabled attackers to target Android phones over text or MMS by exploiting a weakness in Android’s multimedia preview function. Google, smartphone manufacturers, and wireless carriers scrambled to issue fixes for the bug, only to discover that they needed to deploy a new batch of fixes just two weeks later. Now, three months after the initial disclosure of the bug, Stagefright is back.
Russell Brandom reports for The Verge that Zimperium, the security firm that discovered Stagefright in the first place, found a new way to exploit the vulnerability that isn’t prevented by the existing patches. The newly-discovered vulnerability would enable hackers to encode malicious programs into audio files, delivered via either mp3 or mp4 formats. When a user previews the audio file or visits a page where the file is embedded, the audio preview will activate the program and infect the device.
There are other, less likely ways for hackers to take advantage of the vulnerability, such as if the attacker is on the same WiFi network as the victim. Lorenzo Franceschi-Bicchierai reports for Motherboard that the hacker could inject the exploit code to intercept the victim’s unencrypted network traffic; in that case, the victim wouldn’t need to click on links or open any files. Because a version of the preview function exists in most versions of Android, almost every device running Google’s mobile operating system is susceptible to the bug, though hackers’ implementations of it would need to vary from version to version.
As Dan Goodlin reports for Ars Technica, some of Android’s mitigation strategies aren’t as effective against Stagefright exploits as initially thought. Specifically, a strategy called address space layout randomization (ASLR) is less effective against attacks targeting weaknesses in Android’s stagefright media library as Google’s PR department would have users believe. ASLR can’t fix a buffer overflow or similar bug that causes the vulnerability in the first place, but reduces the chances that a remote code execution attack exploiting such bugs will succeed by downloading scripts in a different location each time the operating system is rebooted.
If the attacker can’t locate the malicious code, then the exploit simply results in a crash. But ASLR will, at best, only lower the chances that an exploit will succeed, in part because there are only 256 possible locations where attackers will find their malicious code, and because the Android media server process that relies on the Stagefright library automatically loads after each crash. ASLR is still a crucial part of modern software, but it isn’t a substitute for fixing underlying bugs.
As for the new vulnerability enabled by the bug, Zimperium hasn’t yet released a workable exploit yet, which gives Google and its partners a head start on patching the vulnerability. Google is currently working to fix the issue in the core Android code, and the company says that a patch will be included in the October Monthly Security Update. The patch will be rolled out to Nexus users on October 5, and a fix was shared with hardware partners in September.
But that doesn’t change the fact that Android users are left depending on carriers and smartphone manufacturers for a critical fix. The troubling part of that equation is that even as Google releases updates that can lessen the severity of attacks or fix the underlying cause, relatively few Android users have received the fixes, and many never will. Stagefright, more than any vulnerability that came before, has pointed a spotlight at Android’s faulty update system. Most manufacturers took weeks, even months, to patch the first Stagefright bug.
After the first series of Stagefright bugs, Google and several smartphone manufacturers promised to release security updates more frequently. But Alexander Maxham reports for Android Headlines that few of those promises have been kept. While Google has issued monthly security updates for Nexus devices, manufacturers like LG and Samsung haven’t had much to say. And the president of HTC, which hasn’t committed to monthly security updates, recently said on Twitter that such updates are unrealistic, and are made unrealistic by carriers, which often take weeks or even months to test and approve any updates that manufacturers deploy.