Vulnerabilities / Threats
7/27/2015
05:15 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Stagefright Android Bug: 'Heartbleed for Mobile' But Harder To Patch

Critical vulnerability in Android's multimedia playback engine is easy to exploit, requires no user interaction, and affects 95 percent of Android devices.

Researchers have uncovered a remote code execution Android vulnerability that could be exploited with only a malicious media file and a phone number. The bug in Android's Stagefright multimedia playback engine leaves 95 percent of Android devices worldwide critically exposed. It is being called "Heartbleed for mobile," but will be prove harder than Heartbleed to fully fix.

The vulnerability was discovered by Joshua J. Drake, vice-president of platform research and exploitation at Zimperium zLabs, who will be presenting his findings at Black Hat Las Vegas next week. Drake actually discovered a variety of implementation issues in Stagefright that could be used to commit of variety of attacks, including denials of service and remote code execution.

The worst of the exploits requires no user interaction: the maliciously crafted media file could be delivered via an MMS message, and the user wouldn't even need to open it. In other words, the only thing attackers need to know about their target is their phone number. According to researchers, an exploit could even be written so that the message could be deleted before the user has a chance to see it.

"This is Heartbleed for mobile -- a remotely exploitable vulnerability that affects millions of Android-based phones and tablets," says Chris Wysopal, CTO and CISO of Veracode. "These are exceedingly rare and pose a serious security issue for users since they can be impacted without having clicked on a link, opened a file or opened an SMS. All an attacker needs to do is send an MMS to a user’s device phone number and sit back and wait for the malware to take over."

The prevalence and ease of exploit of this vulnerability is why Wysopal compares it to Heartbleed. "It's the first Android vulnerability that's gotten to that level," he says.

The vulnerability affects Android devices versions 2.2 and later; pre-Jellybean devices are at the worst risk. Zimperium reported it to Google, which has applied patches, but full fixes require all affected devices to have an over-the-air firmware update. And that's perhaps the biggest concern: remediation requires a lot of parties to be involved, will take time, and some may never get around to it.

"The update process is very long and complicated, and most Android users will never receive an OS update," says Zuk Avraham, founder, chairman and CTO of Zimperium. "This is more challenging than Heartbleed, because in that case you can simply patch the server."  

Wysopal says attackers will be creating and distributing exploits soon. "It's probably a matter of days, so time is of the essence to get the devices patched," he says. But "in the past, it [patching] has been a fragmented process."

Google may release a patch, Wysopal says, but the rest of the Android ecosystem -- the handset manufacturers and wireless carriers, for example -- may take weeks or longer. "We need to start asking them for a timeline," he says. "Unfortunately it's a situation where the individual user may need to take the lead."

The good news is that these Stagefright vulnerabilities do not grant attackers to the victim's entire Android device -- only to their media files -- and wouldn't allow the attacker to make the jump onto an enterprise network, he says.

The question then is will this remain--like other mobile threats before it--a consumer or individual issue. Spying on one's media files could be a threat to an individual, but will it be the kind of thing that brings mobile malware a bigger concern to the enterprise?

Wysopal says the Stagefright exploit could be nastier if combined with a privilege escalation exploit.

"There are targeted attacks on smartphones, as the Hacking Team leak has proved," says Avraham. "We are seeing a lot of attacks. This is the most silent threat to the enterprise out there, empowering attackers to essentially spy on anyone from executives to prime ministers and celebrities."

Wysopal's advice is to turn off the auto-download of MMS messages feature, and then avoid opening MMS messages from unfamiliar senders.

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: just wondering...Thanx
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.