Vulnerabilities / Threats

7/27/2015
05:15 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Stagefright Android Bug: 'Heartbleed for Mobile' But Harder To Patch

Critical vulnerability in Android's multimedia playback engine is easy to exploit, requires no user interaction, and affects 95 percent of Android devices.

Researchers have uncovered a remote code execution Android vulnerability that could be exploited with only a malicious media file and a phone number. The bug in Android's multimedia playback engine leaves 95 percent of Android devices worldwide critically exposed. It is being called "Heartbleed for mobile," but will be prove harder than Heartbleed to fully fix.

The so-called Stagefright vulnerability was discovered by Joshua J. Drake, vice-president of platform research and exploitation at Zimperium zLabs, who will be presenting his findings at Black Hat Las Vegas next week. Drake actually discovered a variety of implementation issues in Stagefright that could be used to commit of variety of attacks, including denials of service and remote code execution.

The worst of the exploits requires no user interaction: the maliciously crafted media file could be delivered via an MMS message, and the user wouldn't even need to open it. In other words, the only thing attackers need to know about their target is their phone number. According to researchers, an exploit could even be written so that the message could be deleted before the user has a chance to see it.

"This is Heartbleed for mobile -- a remotely exploitable vulnerability that affects millions of Android-based phones and tablets," says Chris Wysopal, CTO and CISO of Veracode. "These are exceedingly rare and pose a serious security issue for users since they can be impacted without having clicked on a link, opened a file or opened an SMS. All an attacker needs to do is send an MMS to a user’s device phone number and sit back and wait for the malware to take over."

The prevalence and ease of exploit of this vulnerability is why Wysopal compares it to Heartbleed. "It's the first Android vulnerability that's gotten to that level," he says.

The vulnerability affects Android devices versions 2.2 and later; pre-Jellybean devices are at the worst risk. Zimperium reported it to Google, which has applied patches, but full fixes require all affected devices to have an over-the-air firmware update. And that's perhaps the biggest concern: remediation requires a lot of parties to be involved, will take time, and some may never get around to it.

"The update process is very long and complicated, and most Android users will never receive an OS update," says Zuk Avraham, founder, chairman and CTO of Zimperium. "This is more challenging than Heartbleed, because in that case you can simply patch the server."  

Wysopal says attackers will be creating and distributing exploits soon. "It's probably a matter of days, so time is of the essence to get the devices patched," he says. But "in the past, it [patching] has been a fragmented process."

Google may release a patch, Wysopal says, but the rest of the Android ecosystem -- the handset manufacturers and wireless carriers, for example -- may take weeks or longer. "We need to start asking them for a timeline," he says. "Unfortunately it's a situation where the individual user may need to take the lead."

The good news is that these Stagefright vulnerabilities do not grant attackers to the victim's entire Android device -- only to their media files -- and wouldn't allow the attacker to make the jump onto an enterprise network, he says.

The question then is will this remain--like other mobile threats before it--a consumer or individual issue. Spying on one's media files could be a threat to an individual, but will it be the kind of thing that brings mobile malware a bigger concern to the enterprise?

Wysopal says the Stagefright exploit could be nastier if combined with a privilege escalation exploit.

"There are targeted attacks on smartphones, as the Hacking Team leak has proved," says Avraham. "We are seeing a lot of attacks. This is the most silent threat to the enterprise out there, empowering attackers to essentially spy on anyone from executives to prime ministers and celebrities."

Wysopal's advice is to turn off the auto-download of MMS messages feature, and then avoid opening MMS messages from unfamiliar senders.

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Crowdsourced vs. Traditional Pen Testing
Alex Haynes, Chief Information Security Officer, CDL,  3/19/2019
New Mirai Version Targets Business IoT Devices
Dark Reading Staff 3/19/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Reading Schneier's Friday Squid Blog again?
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
The State of Cyber Security Incident Response
The State of Cyber Security Incident Response
Organizations are responding to new threats with new processes for detecting and mitigating them. Here's a look at how the discipline of incident response is evolving.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-6149
PUBLISHED: 2019-03-18
An unquoted search path vulnerability was identified in Lenovo Dynamic Power Reduction Utility prior to version 2.2.2.0 that could allow a malicious user with local access to execute code with administrative privileges.
CVE-2018-15509
PUBLISHED: 2019-03-18
Five9 Agent Desktop Plus 10.0.70 has Incorrect Access Control (issue 2 of 2).
CVE-2018-20806
PUBLISHED: 2019-03-17
Phamm (aka PHP LDAP Virtual Hosting Manager) 0.6.8 allows XSS via the login page (the /public/main.php action parameter).
CVE-2019-5616
PUBLISHED: 2019-03-15
CircuitWerkes Sicon-8, a hardware device used for managing electrical devices, ships with a web-based front-end controller and implements an authentication mechanism in JavaScript that is run in the context of a user's web browser.
CVE-2018-17882
PUBLISHED: 2019-03-15
An Integer overflow vulnerability exists in the batchTransfer function of a smart contract implementation for CryptoBotsBattle (CBTB), an Ethereum token. This vulnerability could be used by an attacker to create an arbitrary amount of tokens for any user.