Android Stagefright Exploit, Millions devices open to 10-seconds hack

Pierluigi Paganini March 18, 2016

Millions of Android devices are open to hacking attacks due to the newly disclosed Android Stagefright Exploit that hack a smartphone in 10 seconds.

New problems for Android users, security experts at software research firm NorthBit have developed an exploit for a Stagefright vulnerability affecting Google’s operating system.

Millions of Android devices are open to hacking attacks due to the newly disclosed Android Stagefright Exploit that could allow attackers to hack a smartphone in 10 seconds.

The attacker just needs to trick users into visiting a specifically crafted web page that includes a malicious multimedia file.

The researchers at NorthBit have dubbed the Android Stagefright Exploit Metaphor, they published a detailed analysis of the attack in a paper entitled “Metaphor A (real) real­life Stagefright exploit.

The researchers have published a proof-of-concept video that shows how they hacked an Android Nexus 5 device using their Metaphor exploit in just 10 seconds. They also demonstrated that the Android Stagefright Exploit Metaphor works against other mobile devices, including Samsung Galaxy S5, LG G3 and HTC One smartphones.

“Although the bug exists in many versions (nearly a 1,000,000,000 devices) it was claimed impractical to exploit in­the­wild, mainly due to the implementation of exploit mitigations in newer Android versions, specifically ASLR.” states the paper.
The Android Stagefright Exploit works on Android versions 2.2 ­to 4.0 and 5.0 to 5.1 while bypassing ASLR on Android versions 5.0 to 5.1, as version 2.2 to version 4.0 do not implement ASLR. Other Android versions are not affected by the new Stagefright exploit.
The Stagefright was first discovered in July 2015,  experts at security firm Zimperium announced the flaw is the worst Android vulnerability flaw in the mobile OS history.

The Stagefright flaw affects a media library app that is used for by Android to process Stagefright media files. According to the experts at Zimperium the media library is affected by several vulnerabilities.

Joshua Drake from Zimperium discovered seven critical vulnerabilities in the native media playback engine called Stagefright, the expert defined the Stagefright flaw the “Mother of all Android Vulnerabilities.”

The attackers can exploit the vulnerability by sending a single multimedia text message to an unpatched Android device. Despite Google has already issued a patch and has sent out to it to the company’s partners, but most manufacturers haven’t already distributed the patch to their customers exposing them to cyber attack.

In September 2015, experts at Zimperium released a Stagefright exploit, demonstrating how to trigger the Remote Code Execution (RCE). The researchers implemented the Stagefright Exploit in python by creating an MP4 exploiting the ‘stsc’ vulnerability, aka Stagefright vulnerability.
Stagefright Exploit
In October 2015, experts at Zimperium discovered that a billion Android phones were vulnerable to new Stagefright vulnerabilities, dubbed Stagefright 2.0  that could allow attackers to execute malicious code on the targeted device.

The researchers discovered two bugs that are triggered when processing specially crafted MP3 audio or MP4 video files.

The hacking procedure described by the researchers at NorthBit is composed of the following steps:
  • Tricking a victim into visiting a malicious page containing a video file that crashes the media server to reset its internal state.
  • Once the media server restarts, the JavaScript hosted on the web page sends information about the device to the attacker’s server.
  • The server reply with a custom generated video file to the affected device, exploiting the Stagefright bug to reveal more info about the device’s internal state.
  • This information is also sent back to the attacker’s server to craft another video file that embeds a malicious payload that allows gaining the control of the mobile device.

Pierluigi Paganini

(Security Affairs – Android Stagefright Exploit, Metaphor)

you might also like

leave a comment