Android's Stagefright vulnerability is one of the biggest security issues discovered in the operating system, and now that code exploiting the bug has been released to the public, the situation isn't going to get better any time soon.
'Stagefright' is essentially a collection of bugs in Android's libstagefright media library that gives attackers the ability to execute code without the knowledge of the device owner. It's pretty easy to exploit Stagefright, too, as users simply have to browse to a malicious webpage or open a booby-trapped MMS in an unpatched messaging app.
Mobile security company Zimperium has now released code for "testing purposes" that exploits Stagefright's CVE-2015-1538 bug. The code, written in Python, generates an MP4 file that exploits the bug, giving an attacker a reverse command shell that allows them to take photos and capture audio from the microphone without a user's knowledge.
Luckily for some, this particular exploit doesn't work on devices running Android 5.0 or newer. However, considering nearly 80% of devices are still running Android 'KitKat' or older, there are millions of people out there who could be affected by an attacker transforming this test code into a real-world exploit.
Google has attempted to mitigate Stagefright's issues by releasing a series of patches for the bugs in conjunction with partners and OEMs. Unfortunately, as is the case with most Android updates, only a handful of devices have actually received these patches, and in some cases the patches don't actually prevent the bugs from being exploited.
We're still a long way from seeing Stagefright patched in most Android devices, but at least the vulnerability is prompting companies to focus more attention on security issues. Both Google and Samsung have announced monthly patch cycles for their Nexus and Galaxy devices respectively, though despite their best efforts, many devices from other companies will go unpatched.