Much has been said about the StageFright vulnerability but we have yet to see an ultimate solution for the problem. Security patch updates are important but even if monthly releases are not guarantee that an Android device is safe from attacks. We have a bit of good news as the attack code for this has just been made public. This kind of exploitation may not appeal to a lot of people but this will allow not only OEMs and mobile carriers, but also individuals and companies to check on their systems and devices if they could be affected by StageFright or not.
Zimperium Mobile Security Labs (Z-Labs) have been working hard to make Android operating system more safe and secure to use. Zimperium team has publicly released the CVE-2015-1538 StageFright Exploit, demonstrating the process of Remote Code Execution (RCE) by an attacker.
The released exploit is a python code creating an MP4 exploiting the ‘sts’ vulnerability dubbed StageFright. Zimperium said in a written statement that it was making the code available to the general public “so that security team, administrators, and penetration testers alike may test whether or not system remain vulnerable.”
The company originally reported in July that it had found 10 critical vulnerabilities that could be exploited via an MMS message with a specially crafted media attachments. It was estimated that 95 percent, or 950 million, Android devices were vulnerable. Updates have been issued prior to the code being released.
“Google released new versions of Hangouts and Messenger to block automatic processing of multimedia files arriving via MMS. We’ve tested these updated versions and are happy to confirm they prevent unassisted remote exploitation,” Zimperium said , adding that there are still other vectors present that must be fixed.
There is also an application available, StageFright Detector , which is able to scan devices to detect if there are unpatched libstagefright vulnerabilities. The team is currently working to include the app’s detection capabilities directly into the Android’s Compatibility Test Suit (CTS) – a quality protection platform which makes sure all future Android-compatible devices must have resolved these issues before shipment.
Drake, meanwhile, presented his research at last month’s Black Hat, check out his presentation below :
We’re grateful that Google’s Android team especially is doing its best to address the StageFright bugs by releasing monthly security patches. The like of LG, Motorola, Sony and Samsung have already pledged their part and we’re expecting more brands to follow suit.