Attack code exploiting Android’s critical Stagefright bugs released by Zimperium
Security research firm, Zimperium has released the attack code (PoC) that allows hackers to take control of vulnerable Android phones to public on Wednesday. The release has meant that developers at Google, carriers and handset manufacturers will have to fight against time to distribute patches to hundreds of millions of end users.
The Stagefright bugs are a critical vulnerability which affect almost a billion+ Android smartphones from all manufacturers. The critical flaws which were discovered by Zimperium researchers, reside in an Android media library known as libstagefright, give attackers a variety of ways to covertly execute malicious code on unsuspecting owners’ Android smartphones and tablets.
Zimperium had reported vulnerabilities in April and May and they were publicly disclosed in July 2015. Joshua Drake from Zimperium Mobile Security discovered six + one critical vulnerabilities in the native media playback engine called Stagefright. He had called these flaws ‘Mother of all Android Vulnerabilities’.
After Zimperium informed Google, the Android security team has spent the past four months preparing fixes and distributing them to carriers and smartphone manufacturers. However except for Nexus devices, high end Samsung smartphones like Samsung Galaxy 6 and Galaxy 6 Edge, LG and Motorola, most of the manufacturers are yet to release the fix to the end users.
Also critics have warned that the fixes released by Android security team are just band-aids and dont patch the real flaw in Android Stagefrightlib. The patch released by Google was also found to be was so flawed that attackers can exploit the vulnerability anyway.
As of now the Nexus 5 phone patched with the all the fixes released by Google is still shown as being vulnerable to the Stagefright attack.
Google and other Android smartphone manufacturers had asked Zimperium to withhold the release of proof-of-concept code that exploits the bugs. But on Wednesday, the company finally published it. The python script generates an MP4 media file that exploits CVE-2015-1538 and gives the attacker a reverse command shell. The attacker is then able to take pictures and remotely listen to audio within earshot of the microphone. The exploit doesn’t work against Android versions 5.0 and above thanks to new integer overflow mitigations.
Google engineers are sure to be racing against time to mitigate this contingency as the availability of the code would mean attacks on hapless Android smartphone owners and users.
Here are some videos showing the PoC in action :
And this is Joshua Drake’s presentation at DefCon 2015
Android smartphone owners are advised to disable use of multimedia/Google Hangouts or completely avoid it. They can revert back to default SMS tool in order to avoid finding their Android smartphones in control of the hackers.