The last couple of months have been abuzz with talk about a critical vulnerability found in Google’s Android OS. Since then Google has developed two patches to fix the problem. If you own a recent Google Nexus device, it is likely that you have received an update to patch up this vulnerability. Similarly, if you own a brand-name Android phone, you may also be protected. So what is the state of play now regarding Stagefright? Let’s start from the beginning…
What is Stagefright?
Stagefright is the name given to an exploit that occurs in the Android operating system, specifically in the libStageFright library (hence the name). The library resides in the core of the operating system and is responsible for playback of various media types.
The vulnerability was uncovered by mobile security firm Zimperium, and announced at the BlackHat 2015 conference.
Who does it affect?
The libStageFright library was introduced in Android version 2.2 and continues to exist in the latest version. According to distribution numbers, this points to around 90% or more of devices running Android that are potentially affected by this exploit.
What does the exploit do?
According to Zimperium, malicious code could be developed and executed against the Stagefright media library, taking advantage of the bugs within. It requires elevated permissions to run and as a result has access to more parts of the operating system than regular apps, meaning that an exploit could do almost anything it wanted.
The most publicised way that the Stagefright exploit could be used against your phone is via MMS. A malicious video could be sent via MMS and automatically processed by the app which handles MMS messages. What’s more, the MMS could be crafted to self-delete after the malicious code was executed, meaning that the user needs to have no interaction with the phone to invoke the exploit, nor would they know the exploit ever reached their phone in the first place.
But that’s not all. A malicious multimedia file accessible via a web browser could also be used to take advantage of the vulnerability. This requires user intervention to be successful.
It goes without saying that anything you encounter that looks suspicious should not be clicked, regardless of whether you have a vulnerable phone or not.
Am I affected?
Fortunately, there have been no reported cases on any exploits taking advantage of the vulnerability occurring in the wild.
Whether you are affected, largely depends on your device. Recent developments mean that your device could already be patched.
- If you own a Google Nexus 4, 5, or 6 phone, or 7 or 9 tablet, you should have received at least one, if not two, OTA (over-the-air) updates to the OS.
- Similarly, if you own a Samsung, LG, Motorola or Sony phone, you may have recently received a patch to your phone’s OS, which should have addressed the vulnerability.
One way to test whether the Stagefright bug affects you now is to download a Stagefright detection app, like the one by Zimperium (download here).
I’m still affected now – what do I do?
A less widely reported vulnerability is that more recent versions of Android have some level of protection against the issue via ASLR. ASLR (Address Space Layout Randomization) is a method that prevents an attacker from locating an exploitable function by random arrangement of memory address space of a process. ASLR was introduced to Android in version 4.0, so a significant proportion of phones are protected. However ASLR is not perfect, as an attacker could still guess the location of a function in memory to take advantage of the exploit.
While waiting for a patch to be released by your phone’s manufacturer, users can disable auto-receive capability of MMS messages through their messaging app. This option is presented in various forms but generally involves using the Settings screen of the messaging app to turn off the auto retrieve option.
The other obvious step is to use precaution when receiving unsolicited messages or links to websites and only ever open MMS messages from people that you trust.
In a nutshell
- Those who own a pre v4.0 Android device are most at risk of being affected by Stagefright
- Google Nexus or recent brand-name devices should have received a patch/patches to protect from the exploit
- Download a Stagefright detector app to see if your device is protected
- As a general rule, don’t open/click on links on any content that looks suspicious