An exploit that lets hackers execute code remotely on Android devices using only the victims' phone numbers has been released in the wild so that security teams, administrators, and penetration testers can test whether or not systems remain vulnerable. Zimperium Mobile Security, a digital security company focusing on mobile enterprise devices, released the Python script it developed to exploit the vulnerability in mobile phones.
Known as Stagefright, the vulnerability, which Zimperium first discovered in April, allows attackers to gain control of an Android device via a specially crafted media file delivered via MMS. By gaining remote code execution privileges, an attacker can delete the original MMS used to gain control of the device, leaving the victim completely unaware of the hack.
Massive Interest from Developers
Zimperium had already released much of its research into the vulnerability. After initially reporting the problem to Google in April and May, the company announced in July that it would be publishing the exploit it had developed at the Black Hat USA convention in August. Slides from a presentation given by Joshua Drake, Zimperium’s VP of platform research and exploitation, have already been released by the company on YouTube.
The company has also released its own Stagefright Detector app for Android, which can be used to determine if a device is vulnerable to an exploit using the libstagefright library. The company said it is also working with Google to integrate the app’s analytical logic into Android’s Compatibility Test Suite, which would ensure that the vulnerability would be fixed in all future Android devices before they shipped.
News of the Stagefright vulnerability generated a massive response from the developer community. “We expected other researchers to explore the vulnerabilities we disclosed and discover additional vulnerabilities in the Stagefright library over time,” the company said in a blog post. “That said, we did not expect the incredible level of response from the community. We applaud the efforts of myriad researchers that flocked to audit the Android code base and collectively discovered and reported numerous additional issues.”
Other Issues with Stagefright Library Remain
Google was also quick to respond, distributing new versions of Hangouts and Messenger to block automatic processing of multimedia files arriving via MMS. The upgrades do successfully prevent the unassisted remote exploitation vulnerability they had identified, according to Zimperium.
However, the company noted that the MMS attack vector was only the worst of more than 10 different ways the Android system could be attacked. Other vectors, such as browsers and instant messages, also process potentially malicious media using the Stagefright library. “With these other vectors still present, the importance of fixing issues within the code base remains very high,” Zimperium said.
Despite the potential severity, there are silver linings. The exploit is not generic, and has only been tested on a single Nexus device running Android 4.0.4. The vulnerability has been addressed in Android 5.0 and later. Nevertheless, Zimperium said that other researchers have been able to develop other exploits that take advantage of libstagefright against Android 5.0 running on an emulator.