Stagefright 2.0 Vulnerabilities Affect 1 Billion Android Devices

Researchers at Zimperium have reported two new Stagefright vulnerabilities affecting one billion Android devices.

When researcher Joshua Drake published details in August about critical Android vulnerabilities in the Stagefright media playback engine, he promised there would be more issues that he and others would find and report to Google’s Android security team.

Today, Drake, vice president of platform research and exploitation at Zimperium, disclosed two more flaws in Stagefright, one that dates back to the first version of Android, and a second dependent vulnerability that was introduced in Android 5.0. The bugs affect more than one billion Android devices, essentially all of them in circulation.

While the first Stagefright flaw was patched in short order by Google and deployed by carriers and handset makers, updates for these two vulnerabilities are not yet available to the general public. A Google spokesperson told Threatpost today that the patches were provided to partners on Sept. 10. The patches will be rolled out to Nexus users and included in the next monthly Android security update scheduled for Oct. 5. The patches were also, inadvertently, pushed to the Android Open Source Project (ASOP), said Zuk Avraham, chairman and founder of Zimperium.

The risks with these vulnerabilities, dubbed Stagefright 2.0, are nearly identical to the original Stagefright flaws; the only difference is that the attack vector for the first bugs has been patched. Successful exploits would enable remote code execution and lead to privilege escalation, putting an attacker in control over a compromised device. They would have access to personal data and photos stored on the phone, be able to take photos, record conversations, exfiltrate email and SMS/MMS messages and load additional apps.

“It’s as dangerous as Stagefright 1.0,” said Avraham, who added that Zimperium is not aware of public exploits of these issues. But given that one of the bugs has been in Android since the very beginning, it’s likely they could have been used in an attack.

Stagefright 1.0, however, was exploited via a specially crafted MMS message which were at the time automatically processed by Stagefright. Google’s patch means Stagefright no longer does so, especially in new versions of Google’s Messenger and Hangouts apps. With Stagefright 2.0, Avraham said the most logical attack vector would be the mobile browser where an attacker tricks the victim via phishing or malvertising to visit a URL hosting the exploit. An attacker could also inject the exploit via a man-in-the-middle attack, or host a malicious third-party app that uses the vulnerable library.

Like the first set of attacks, Stagefright 2.0 exploits are a way onto the phone. Stagefright is granted some system-level privileges, giving the attacker the opportunity to elevate their privileges with additional attacks in order to control the device.

“It’s a library that was written very badly,” Avraham said of Stagefright. “The library itself is pretty vulnerable; it has a lot of code mistakes. The media processing is not as safe as it should be.”

One of the vulnerabilities has been assigned CVE-2015-6602 and was found in a core Android library called libutils; it has been in the Android OS since it was first released and before there were even Android mobile devices. The second vulnerability was introduced into libstagefright in Android 5.0; it calls into libutils in a vulnerable way, Avraham said. An attacker would use a specially crafted MP3 or MP4 file in this case to exploit the vulnerabilities.

The libutils vulnerability is critical because it could extend into many areas of Android.

“Determining all possible ways that a core library component has been used across the Android ecosystem is an insurmountable task,” said a FAQ published by Zimperium. “Every piece of code that uses the vulnerable library needs to be inspected to see if it calls APIs within libutils in a vulnerable way. Then, each potentially vulnerable use would need to be inspected and analyzed individually.”

The libstagefright issue affects apps that utilize Android’s multimedia APIs, which call into the library.

“In each case, the vulnerable code runs inside mediaserver,” Zimperium said.

Stagefright 1.0 was disclosed during presentations given by Drake at Black Hat and DEF CON in August. The original exploits were particularly worrisome given that an attacker need only know the victim’s phone number in order send a crafted MMS message to a phone to trigger the vulnerability without user interaction; an attacker could also delete the MMS before the victim was it aware it was sent.

Stagefright is an over-privileged application with system access on some devices, which enables privileges similar to apps with root access. Stagefright is used to process a number of common media formats, and it’s implemented in native C++ code, making it simpler to exploit.

“On some devices, [Stagefright] has access to the system group, which is right next to root—very close to root—so it should be easy to get root from system,” Drake told Threatpost in July. “And system runs a lot of stuff. You’d be able to monitor communication on the device and do nasty things.

“That process, you would think, would be sandboxed and locked down as much as it could because it’s processing dangerous, risky code, but it actually has access to the Internet,” Drake said. “Android has a group enforcement where it allows [Stagefright] to connect to the Internet. This service is on all Android devices. I’d rather not have a service that’s doing risky processing have Internet access.”

Suggested articles

Discussion

  • Renee on

    I'm wondering if anyone is brave enough to have a class action lawsuit again Google for deliberately ignoring the problem, thereby putting billions at risk for both financial and identity theft?
  • Hajla on

    Ok so i can get root on my moto g 2 without unlocking bootloader? Thats greate news!
  • Matt H on

    In my opinion, the most noteworthy issue is the lack of security patching releases by device manufacturers. Google (Alphabet) should devise new release of Android that allows security patching of their operating system independent of device specific support elements added by device vendors. Until this is done, the vast majority of Android devices will be continued to be used despite severe flaws with the expectation that that is just what you should expect.
  • BT7474 on

    My review written for another article applies to this page also I have copied and pasted my comment to this article also below: Far too little, far too late. Google and Partners are still in a state of denial: How many people out of about 95% = 950 million Android Devices do you think have got the expertise to find Stagefright, especially when it can delete any trace of itself actually infecting a person’s Android Device. If Google was that competent with the number of experts it has then why didn’t it find it in the first place? Why did Google and its Partners took far too long to provide a solution to consumers, and also how much longer (months years ever receiving) a proper solution? It appears that the security services have been using Stagefright for years: It is about time that Google and Partners woke up and smelt the coffee: http://www.bbc.co.uk/iplayer/episode/b06h7j3b/panorama-edward-snowden-spies-and-the-law
07/15/18 4:00
The 6-year-old Dorkbot #malware is now ranked the second biggest banking malware headache in 2018 so far: https://t.co/DiD2XV0eln

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.