Android Stagefright Exploit, Millions devices open to 10-seconds hack

The Android Stagefright Exploit works on Android versions 2.2 ­to 4.0 and 5.0 to 5.1 while bypassing ASLR on Android versions 5.0 to 5.1, as version 2.2 to version 4.0 do not implement ASLR. Other Android versions are not affected by the new Stagefright exploit.

The Stagefright was first discovered in July 2015,  experts at security firm Zimperium announced the flaw is the worst Android vulnerability flaw in the mobile OS history.

The Stagefright flaw affects a media library app that is used for by Android to process Stagefright media files. According to the experts at Zimperium the media library is affected by several vulnerabilities.

Joshua Drake from Zimperium discovered seven critical vulnerabilities in the native media playback engine called Stagefright, the expert defined the Stagefright flaw the “Mother of all Android Vulnerabilities.”

The attackers can exploit the vulnerability by sending a single multimedia text message to an unpatched Android device. Despite Google has already issued a patch and has sent out to it to the company’s partners, but most manufacturers haven’t already distributed the patch to their customers exposing them to cyber attack.

In September 2015, experts at Zimperium released a Stagefright exploit, demonstrating how to trigger the Remote Code Execution (RCE). The researchers implemented the Stagefright Exploit in python by creating an MP4 exploiting the ‘stsc’ vulnerability, aka Stagefright vulnerability.

In October 2015, experts at Zimperium discovered that a billion Android phones were vulnerable to new Stagefright vulnerabilities, dubbed Stagefright 2.0  that could allow attackers to execute malicious code on the targeted device.

The researchers discovered two bugs that are triggered when processing specially crafted MP3 audio or MP4 video files.

• Tricking a victim into visiting a malicious page containing a video file that crashes the media server to reset its internal state.
• Once the media server restarts, the JavaScript hosted on the web page sends information about the device to the attacker’s server.
• The server reply with a custom generated video file to the affected device, exploiting the Stagefright bug to reveal more info about the device’s internal state.
• This information is also sent back to the attacker’s server to craft another video file that embeds a malicious payload that allows gaining the control of the mobile device.

Pierluigi Paganini

(Security Affairs – Android Stagefright Exploit, Metaphor)