Stagefright - The most frightful Android bug ever!
Stagefright - What is it?
The most recently discovered Android bug is nicknamed Stagefright, after the Stagefright media playback tool in the Android operating system. This media playback tool helps Android phones unpack and process multimedia content, which includes video, audio, photos and text files.
The bug, which is found in this library, allows an unauthorized user to perform remote code execution in the device through a multimedia message.
In most cases, the victims are not even aware of the remote code execution, because the bug does not call for user action, especially if the default messaging application selected by the user is Google Hangouts.
This Hangouts application focuses on 'simplifying' the user-task and gets the videos ready for viewing, once the user opens the application. Hence, the Hangouts application processes the MMS messages and allows the attack to happen, not giving a clue of what is happening to the user.
Thanks to Joshu Drake, the Sr. Director of Platform Research and Exploitation of Zimperium, a privately-owned mobile-security startup, for finding this frightful vulnerability, which has put more than 900 million Android devices at potential risk.
Technically speaking, Stagefright is not a single bug, but a collection of seven bugs known so far. According to CVE, a dictionary of publicly known information security vulnerabilities and exposures, the following are the bugs that are identified to be within the Stagefright bug:
- CVE-2015-1538,
- CVE-2015-1539,
- CVE-2015-3824,
- CVE-2015-3826,
- CVE-2015-3827,
- CVE-2015-3828, and
- CVE-2015-3829
Fix for Stagefright?
Although Google's Android security lead engineer, Adrian Ludwig, claims that the ASLR technology, which has been enabled in more than 90% of the Android devices currently, protects the users against the buffer overflow attack, this is not a perfect fix for the Stagefright bug. You may be one among the millions, who may wonder what this ASLR technology is all about.
The ASLR technology was originally enabled in the default Linux kernel in 2005, though it is currently enabled in other widely-available operating systems, too. This technology protects the devices from the buffer overflow attacks, as it randomly arranges the address space positions of key data, including the positions of the stack, heap and libraries.
This security technique makes it more difficult for an attacker to predict the target locations, because the key areas of a program or a service that is running are not put in the same location in RAM every time. Also, launching an attack by guessing the target location is an irreversible process. If the values entered by the hacker are wrong, the application crashes.
To the dismay of millions, this Stagefright has been a potential avenue to break into the system from the past five years. Once compromised, the hacker has complete access to sensitive data, photos, camera, and microphone of the device. No wonder the bug is called “The Mother of All Android Vulnerabilities”.
There are a few Stagefright bug detectors available online to detect and confirm the vulnerability of a device, but these do not offer a patch for the Stagefright bug. To protect yourself, you need to disable the 'auto-retrieval of MMS' option in the application that you have set default for messaging.