Stagefright: The Latest Android Phobia

Zimperium zLabs, discovered what they believe to be the worst Android vulnerabilities discovered to date. The vulnerability, nicknamed 'Stagefright', it is a media library that processes several popular media formats. Since media processing is often time-sensitive, the library is implemented in native code (C++) that is more prone to memory corruption than memory-safe languages like Java.

These issues in Stagefright code critically expose 95% of Android devices, an estimated 950 million devices. Attackers only need your mobile number, using which they can remotely execute code via a specially crafted media file delivered via MMS.

Android devices since version 2.2 are vulnerable. Devices running Android versions prior to Jelly Bean (roughly 11% of devices) are at the worst risk due to inadequate exploit mitigations.

The Stagefright vulnerability was assigned with the following CVEs:

• CVE-2015-1538 
• CVE-2015-1539 
• CVE-2015-3824 
• CVE-2015-3826 
• CVE-2015-3827 
• CVE-2015-3828 
• CVE-2015-3829 

Fixes for these issues require an OTA firmware update for all affected devices. The bug was reported by Zimperium zLabs, in April in order to give Google enough time to fix the problem and send patches out to its partners. The security company says that Google has done so -- but that most manufacturers have not reissued them to users, working to the traditionally slow pace of Android phone partners. Devices older than 18 months are unlikely to receive an update at all.

Risk mitigation

Consider changing the settings on your Android apps that use MMS, like Messaging and Hangouts. Deselect “automatically retrieve MMS messages.” In the meantime, consider using alternate messaging services.

Other than that, keep your phone number private. Researchers plan to present more details at the Black Hat conference next month.

Image credit: Stagefright, Zimperium blog