Vulnerabilities / Threats

7/27/2015
05:15 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Stagefright Android Bug: 'Heartbleed for Mobile' But Harder To Patch

Critical vulnerability in Android's multimedia playback engine is easy to exploit, requires no user interaction, and affects 95 percent of Android devices.

Researchers have uncovered a remote code execution Android vulnerability that could be exploited with only a malicious media file and a phone number. The bug in Android's multimedia playback engine leaves 95 percent of Android devices worldwide critically exposed. It is being called "Heartbleed for mobile," but will be prove harder than Heartbleed to fully fix.

The so-called Stagefright vulnerability was discovered by Joshua J. Drake, vice-president of platform research and exploitation at Zimperium zLabs, who will be presenting his findings at Black Hat Las Vegas next week. Drake actually discovered a variety of implementation issues in Stagefright that could be used to commit of variety of attacks, including denials of service and remote code execution.

The worst of the exploits requires no user interaction: the maliciously crafted media file could be delivered via an MMS message, and the user wouldn't even need to open it. In other words, the only thing attackers need to know about their target is their phone number. According to researchers, an exploit could even be written so that the message could be deleted before the user has a chance to see it.

"This is Heartbleed for mobile -- a remotely exploitable vulnerability that affects millions of Android-based phones and tablets," says Chris Wysopal, CTO and CISO of Veracode. "These are exceedingly rare and pose a serious security issue for users since they can be impacted without having clicked on a link, opened a file or opened an SMS. All an attacker needs to do is send an MMS to a user’s device phone number and sit back and wait for the malware to take over."

The prevalence and ease of exploit of this vulnerability is why Wysopal compares it to Heartbleed. "It's the first Android vulnerability that's gotten to that level," he says.

The vulnerability affects Android devices versions 2.2 and later; pre-Jellybean devices are at the worst risk. Zimperium reported it to Google, which has applied patches, but full fixes require all affected devices to have an over-the-air firmware update. And that's perhaps the biggest concern: remediation requires a lot of parties to be involved, will take time, and some may never get around to it.

"The update process is very long and complicated, and most Android users will never receive an OS update," says Zuk Avraham, founder, chairman and CTO of Zimperium. "This is more challenging than Heartbleed, because in that case you can simply patch the server."  

Wysopal says attackers will be creating and distributing exploits soon. "It's probably a matter of days, so time is of the essence to get the devices patched," he says. But "in the past, it [patching] has been a fragmented process."

Google may release a patch, Wysopal says, but the rest of the Android ecosystem -- the handset manufacturers and wireless carriers, for example -- may take weeks or longer. "We need to start asking them for a timeline," he says. "Unfortunately it's a situation where the individual user may need to take the lead."

The good news is that these Stagefright vulnerabilities do not grant attackers to the victim's entire Android device -- only to their media files -- and wouldn't allow the attacker to make the jump onto an enterprise network, he says.

The question then is will this remain--like other mobile threats before it--a consumer or individual issue. Spying on one's media files could be a threat to an individual, but will it be the kind of thing that brings mobile malware a bigger concern to the enterprise?

Wysopal says the Stagefright exploit could be nastier if combined with a privilege escalation exploit.

"There are targeted attacks on smartphones, as the Hacking Team leak has proved," says Avraham. "We are seeing a lot of attacks. This is the most silent threat to the enterprise out there, empowering attackers to essentially spy on anyone from executives to prime ministers and celebrities."

Wysopal's advice is to turn off the auto-download of MMS messages feature, and then avoid opening MMS messages from unfamiliar senders.

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
WebAuthn, FIDO2 Infuse Browsers, Platforms with Strong Authentication
John Fontana, Standards & Identity Analyst, Yubico,  9/19/2018
Turn the NIST Cybersecurity Framework into Reality: 5 Steps
Mukul Kumar & Anupam Sahai, CISO & VP of Cyber Practice and VP Product Management, Cavirin Systems,  9/20/2018
NSS Labs Files Antitrust Suit Against Symantec, CrowdStrike, ESET, AMTSO
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/19/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: White Privelege Day
Current Issue
Flash Poll
The Risk Management Struggle
The Risk Management Struggle
The majority of organizations are struggling to implement a risk-based approach to security even though risk reduction has become the primary metric for measuring the effectiveness of enterprise security strategies. Read the report and get more details today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-17282
PUBLISHED: 2018-09-20
An issue was discovered in Exiv2 v0.26. The function Exiv2::DataValue::copy in value.cpp has a NULL pointer dereference.
CVE-2018-14592
PUBLISHED: 2018-09-20
The CWJoomla CW Article Attachments PRO extension before 2.0.7 and CW Article Attachments FREE extension before 1.0.6 for Joomla! allow SQL Injection within download.php.
CVE-2018-15832
PUBLISHED: 2018-09-20
upc.exe in Ubisoft Uplay Desktop Client versions 63.0.5699.0 allows remote attackers to execute arbitrary code. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the processing of URI ha...
CVE-2018-16282
PUBLISHED: 2018-09-20
A command injection vulnerability in the web server functionality of Moxa EDR-810 V4.2 build 18041013 allows remote attackers to execute arbitrary OS commands with root privilege via the caname parameter to the /xml/net_WebCADELETEGetValue URI.
CVE-2018-16752
PUBLISHED: 2018-09-20
LINK-NET LW-N605R devices with firmware 12.20.2.1486 allow Remote Code Execution via shell metacharacters in the HOST field of the ping feature at adm/systools.asp. Authentication is needed but the default password of admin for the admin account may be used in some cases.