Pierluigi Paganini October 02, 2015

A billion Android phones are vulnerable to Stagefright 2.0 flaws that could be exploited by attackers to execute malicious code on the targeted device.

Do you remember the Stagefright vulnerability? In July 2015,  security experts from Zimperium discovered the Stagefright flaw in the popular Google Android OS which allows hackers to gain control of the system without raising suspicion.

At the time of the discovered it has been estimated that the Stagefright flaw was potentially affecting 95% of Android devices running version 2.2 to 5.1 of the Google OS (roughly 950 million smartphones).  Experts at security firm Zimperium announced the Stagefright vulnerability as the worst Android flaw in the mobile OS history.

The Stagefright flaw affects a media library app that is used for by Android to process Stagefright media files. According to the experts at Zimperium the media library is affected by several vulnerabilities.

A few weeks ago, Zimperium experts have publicly released the Stagefright Exploit, demonstrating how to trigger the Remote Code Execution (RCE). The researchers implemented the Stagefright Exploit in python by creating an MP4 exploiting the ‘stsc’ vulnerability, aka Stagefright vulnerability.

“We are pleased to finally make this code available to the general public so that security teams, administrators, and penetration testers alike may test whether or not systems remain vulnerable. What follows is a python script that generates an MP4 exploiting the ‘stsc’ vulnerability otherwise known as CVE-2015-1538 (#1).” states Zimperium.

Now, it seems that a billion Android phones are vulnerable to new Stagefright vulnerabilities, dubbed Stagefright 2.0,  that also in this case could allow attackers to execute malicious code on the targeted device.

Stagefright 2.0 vulnerabilities have been discovered by Zimperium, in particular, the experts discovered two bugs that are triggered when processing specially crafted MP3 audio or MP4 video files.

“The vulnerability lies in the processing of metadata within the files, so merely previewing the song or video would trigger the issue. Since the primary attack vector of MMS has been removed in newer versions of Google’s Hangouts and Messenger apps, the likely attack vector would be via the Web browser.” states the blog post published by Zimperium.”

A first vulnerability affects the libutils library (CVE-2015-6602) in every Android version since 1.0. The vulnerability can be exploited even on the latest Android releases by triggering a second vulnerability in libstagefright, a library used in the Google mobile OS to process media files.

An attacker can use booby-trapped audio or video files to execute malicious code on the victim’s device, even if the Android device is running Android 5.0 or later. Devices running 5.0 or earlier can be similarly in a similar way when they use the flawed function implemented in the libutils.

The post published by Zimperium includes the description of attack scenarios:

1. An attacker would try to convince an unsuspecting user to visit a URL pointing at an attacker controlled Web site (e.g., mobile spear-phishing or malicious ad campaign)
2. An attacker on the same network could inject the exploit using common traffic interception techniques (MITM) to unencrypted network traffic destined for the browser.
3. 3rd party apps (Media Players, Instant Messengers, etc.) that are using the vulnerable library.

Google representatives have declared that the Stagefright 2.0 vulnerabilities will be fixed in the next update scheduled for release next week, but you have to consider that it may take time before your system is up to date Android.

Once Google issue the update, it could take days for it to become available to users of Google devices depending on the vendors.

Pierluigi Paganini

(Security Affairs – Stagefright 2.0, Android)