New Stagefright exploit threatens unpatched Android devices

One of Android’s biggest security scares is back for an encore.

David bisson
David Bisson

Android skeleton

Researchers at NorthBit have discovered a new variant of last year’s notorious Stagefright vulnerability that threatens all unpatched Android devices.

In July of 2015, the security team at Zimperium first published its research on Stagefright, a critical security vulnerability in Android phones which could be used by attackers to silently and remotely infect them with malware.

Zimperium’s researchers explained in last summer’s post that with only a target’s phone number, attackers can send a user a specially crafted media file delivered via Multimedia Messaging Service (MMS). A successful exploit requires absolutely no user input before compromising the device, leaving the victim with a compromised phone through which attackers can spy on their activities.

Sign up to our free newsletter.
Security news, advice, and tips.

Several months later, Zimperium’s research teams released a follow-up post in which they disclosed “Stagefright 2.0,” a bug through which attackers can compromise Android users’ devices via a specially crafted audio or MP4 video file.

After a false start, Google has since patched the Stagefright vulnerabilities unearthed by Zimperium. However, not every Android phone or tablet has received or is even able to install them.

That’s bad news for potentially millions of Android devices.

Unfortunately, a new Stagefright exploit signals that we have now gone from bad to worse.

Hanan Be’er, a researcher with advanced software research firm NorthBit, describes in a new report what he describes as “a (real) real­-life Stagefright exploit” that he has dubbed “Metaphor”.

The exploit involves four steps:

  1. An attacker tricks a user via XSS, ads, or a drive-by campaign to visit a malicious webpage containing a specially-crafted video file that crashes the Android’s mediaserver and forces it to reset to its internal state. The target does not need to click on the video file for this first step to work, as the exploit begins as soon as the web browser begins parsing the file.
  2. Some JavaScript on the page waits for the mediaserver to reset, at which point it sends some device information back to the attacker’s private server.
  3. The server responds with a custom video file that exploits the Stagefright vulnerability in an effort to extract more information about the user’s device and send it back to the attacker.
  4. A third video file is generated and sent to the victim from the attacker’s private server. This file, however, contains embedded malware that runs with all privileges.

This newest exploit of Stagefright leverages CVE-2015-3864 and bypasses address space layout randomization (ASLR), as Be’er explains:

“It was claimed [the bug] was impractical to exploit in the wild, mainly due to the implementation of exploit mitigations in newer Android versions, specifically ASLR. The team here at North-Bit has built a working exploit affecting Android versions 2.2 to 4.0 and 5.0 to 5.1, while bypassing ASLR on versions 5.0 to 5.1 (as Android versions 2.2 to 4.0 do not implement ASLR).”

A YouTube video of the exploit in action can be viewed below:

According to NorthBit’s report, its researchers have built a working exploit affecting Android versions 2.2 – 4.0 and 5.0 – 5.1, while bypassing ASLR on versions 5.0 – 5.1 (as Android versions 2.2 – 4.0 do not implement ASLR).

To read more about this exploit, please check out the research paper.

The report is of little consolation to Android users whose devices cannot or have not received the Stagefright patches. But in the very least, it provides some context on the threat facing users.

JavaScript appears to be an integral part of this exploit.

With that in mind, I would recommend vulnerable users activate the NoScript extension on their mobile browsers. This add-on disables all JavaScript by default in a browser, giving users the option to activate JavaScript on websites they trust and to leave it deactivated on sites that they don’t.

NoScript therefore could potentially prevent the malicious webpage’s script from successfully completing the second step of the Metaphor exploit.

David Bisson is an infosec news junkie and security journalist. He works as Contributing Editor for Graham Cluley Security News and Associate Editor for Tripwire's "The State of Security" blog.

3 comments on “New Stagefright exploit threatens unpatched Android devices”

  1. Bob

    University of Cambridge report finds 87.7% of Android devices are insecure.

  2. Isma'il

    Makes me glad I use a Lumia 1520. No Android in sight.

    1. Bob · in reply to Isma'il

      A great phone and it should be one which is eligible for a free upgrade to Windows 10 Mobile shortly. Windows phones are generally considered very secure.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.