Code exploiting Android's Stagefright vulnerability is now in the wild

By Scorpus
Sep 10, 2015
Post New Reply
  1. Android's Stagefright vulnerability is one of the biggest security issues discovered in the operating system, and now that code exploiting the bug has been released to the public, the situation isn't going to get better any time soon.

    'Stagefright' is essentially a collection of bugs in Android's libstagefright media library that gives attackers the ability to execute code without the knowledge of the device owner. It's pretty easy to exploit Stagefright, too, as users simply have to browse to a malicious webpage or open a booby-trapped MMS in an unpatched messaging app.

    Mobile security company Zimperium has now released code for "testing purposes" that exploits Stagefright's CVE-2015-1538 bug. The code, written in Python, generates an MP4 file that exploits the bug, giving an attacker a reverse command shell that allows them to take photos and capture audio from the microphone without a user's knowledge.

    Luckily for some, this particular exploit doesn't work on devices running Android 5.0 or newer. However, considering nearly 80% of devices are still running Android 'KitKat' or older, there are millions of people out there who could be affected by an attacker transforming this test code into a real-world exploit.

    Google has attempted to mitigate Stagefright's issues by releasing a series of patches for the bugs in conjunction with partners and OEMs. Unfortunately, as is the case with most Android updates, only a handful of devices have actually received these patches, and in some cases the patches don't actually prevent the bugs from being exploited.

    We're still a long way from seeing Stagefright patched in most Android devices, but at least the vulnerability is prompting companies to focus more attention on security issues. Both Google and Samsung have announced monthly patch cycles for their Nexus and Galaxy devices respectively, though despite their best efforts, many devices from other companies will go unpatched.

    Permalink to story.

  2. Jivex5k

    Jivex5k TS Rookie

    I believe turning off auto-retrieval is the only way to prevent these attacks from hangouts or some other mms app you are using. As for the web, good luck... It's always been annoying that I can't put ublock on android's browser.
  3. NightAngel79

    NightAngel79 TS Booster Posts: 159   +37

    You can put ad block plus on Chrome, but it only works on wifi. Ad block just released their own browser as well
  4. Skidmarksdeluxe

    Skidmarksdeluxe TS Evangelist Posts: 6,336   +1,938

  5. robb213

    robb213 TS Addict Posts: 309   +92

    Could someone elaborate for me? I thought the MMS loophole applied to devices above 5.0, including 5.0.1?

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...