Almost a year after the world came to know about the deadly set of vulnerabilities that we today refer to as Stagefright, very little has been achieved towards mitigating the risk it poses. The flaw, which is able to affect devices running Android Froyo and above, continues to threaten Android users to this day, leaving their devices vulnerable to remote code execution.
It is important to understand that Stagefright isn’t really a bug or a virus in the conventional sense. The term actually refers to the libstagefright media library in Android, which has been proved to be vulnerable to exploitation. In essence, Libstagefright is a software library implemented primarily in C++ as part of the Android Open Source Project (AOSP) and is used as a backend engine for playing various multimedia formats, for example mp3 or mp4.
The vulnerability can be exploited by something as innocuous as a MMS or a media file, triggered when the message is opened or the media file is played. The attack vectors then exploit integer overflow vulnerabilities to do their nasty work. Integer overflow, as the name suggests, occurs when an arithmetic operation attempts to create a numeric value that is too large to be represented within the storage space that is available for use. This overflow violates the program’s original assumptions and may lead to unintended behavior, which can be violated by hackers.
The bug was discovered by Joshua Drake, vice president of Platform Research and Exploitation at security firm Zimperium, and was publicly announced for the first time on July 27, 2015. As is the usual practice for previously unknown bugs and viruses, Drake had already informed Google before making his discovery which incorporated a related bugfix into its internal source code libraries. In case you are wondering, this practice is followed because researchers obviously don’t want to be the one to tell hackers about a new flaw before it has been patched.
Soon after Drake’s announcement, Evgeny Legerov, a Moscow-based security researcher also announced the discovery of two more heap overflow zero-day vulnerabilities in the same library. This and subsequent announcement were also responsible for Google’s now monthly security patches. The company has issued patches for 115 media server-related CVE (Common Vulnerabilities and Exposures) flaws till date. Many of these were found through Google’s bug bounty program which has seen the company dole out half a million dollars in a single year.
However, we are still far from calling Stagefright a history. Only a few devices have been patched for the flaw while over a billion remain open to intrusions from hackers, although Zimperium has launched an Android application called “Stagefright detector” that tests whether your Android device is vulnerable to the Stagefright bug. However, with the vast majority of the populace unaware of the anomaly, its not really of much use in mitigating its effects.
Meanwhile, the various factors such as manufacturers, device variants, Android versions, and various Android customizations performed by the manufacturers are keeping the bug from being fixed on a wider basis. Also, Google does not appear to be likely to offer updates for the older variants of the device. However, thanks to the efforts of Drake and others, at least we know what we are up against and steps are being taken to safeguard against it.