New Stagefright exploit threatens unpatched Android devices

One of Android’s biggest security scares is back for an encore.

Android skeleton

Researchers at NorthBit have discovered a new variant of last year's notorious Stagefright vulnerability that threatens all unpatched Android devices.

In July of 2015, the security team at Zimperium first published its research on Stagefright, a critical security vulnerability in Android phones which could be used by attackers to silently and remotely infect them with malware.

Zimperium's researchers explained in last summer's post that with only a target's phone number, attackers can send a user a specially crafted media file delivered via Multimedia Messaging Service (MMS). A successful exploit requires absolutely no user input before compromising the device, leaving the victim with a compromised phone through which attackers can spy on their activities.

Several months later, Zimperium's research teams released a follow-up post in which they disclosed "Stagefright 2.0," a bug through which attackers can compromise Android users' devices via a specially crafted audio or MP4 video file.

After a false start, Google has since patched the Stagefright vulnerabilities unearthed by Zimperium. However, not every Android phone or tablet has received or is even able to install them.

That's bad news for potentially millions of Android devices.

Unfortunately, a new Stagefright exploit signals that we have now gone from bad to worse.

Hanan Be'er, a researcher with advanced software research firm NorthBit, describes in a new report what he describes as "a (real) real­-life Stagefright exploit" that he has dubbed "Metaphor".

The exploit involves four steps:

  1. An attacker tricks a user via XSS, ads, or a drive-by campaign to visit a malicious webpage containing a specially-crafted video file that crashes the Android's mediaserver and forces it to reset to its internal state. The target does not need to click on the video file for this first step to work, as the exploit begins as soon as the web browser begins parsing the file.
  2. Some JavaScript on the page waits for the mediaserver to reset, at which point it sends some device information back to the attacker's private server.
  3. The server responds with a custom video file that exploits the Stagefright vulnerability in an effort to extract more information about the user's device and send it back to the attacker.
  4. A third video file is generated and sent to the victim from the attacker's private server. This file, however, contains embedded malware that runs with all privileges.

This newest exploit of Stagefright leverages CVE-2015-3864 and bypasses address space layout randomization (ASLR), as Be'er explains:

"It was claimed [the bug] was impractical to exploit in the wild, mainly due to the implementation of exploit mitigations in newer Android versions, specifically ASLR. The team here at North-Bit has built a working exploit affecting Android versions 2.2 to 4.0 and 5.0 to 5.1, while bypassing ASLR on versions 5.0 to 5.1 (as Android versions 2.2 to 4.0 do not implement ASLR)."

A YouTube video of the exploit in action can be viewed below:

According to NorthBit's report, its researchers have built a working exploit affecting Android versions 2.2 - 4.0 and
5.0 - 5.1, while bypassing ASLR on versions 5.0 - 5.1 (as Android versions 2.2 - 4.0 do not implement ASLR).

To read more about this exploit, please check out the research paper.

The report is of little consolation to Android users whose devices cannot or have not received the Stagefright patches. But in the very least, it provides some context on the threat facing users.

JavaScript appears to be an integral part of this exploit.

With that in mind, I would recommend vulnerable users activate the NoScript extension on their mobile browsers. This add-on disables all JavaScript by default in a browser, giving users the option to activate JavaScript on websites they trust and to leave it deactivated on sites that they don't.

NoScript therefore could potentially prevent the malicious webpage's script from successfully completing the second step of the Metaphor exploit.

Tags: , , ,

Subscribe to the free GCHQ newsletter

, , ,

Leave a reply

3 Comments on "New Stagefright exploit threatens unpatched Android devices"

Notify of
avatar

Sort by:   newest | oldest | most voted
Bob
Visitor
Bob
March 18, 2016 10:47 am

University of Cambridge report finds 87.7% of Android devices are insecure.

https://www.cl.cam.ac.uk/~drt24/papers/spsm-scoring.pdf

Isma'il
Visitor
Isma'il
March 18, 2016 8:25 pm

Makes me glad I use a Lumia 1520. No Android in sight.

Bob
Visitor
Bob
March 21, 2016 10:32 am

A great phone and it should be one which is eligible for a free upgrade to Windows 10 Mobile shortly. Windows phones are generally considered very secure.

wpDiscuz