The 'Stagefright' exploit: What you need to know
In July 2015, security company Zimperium announced that it had discovered a "unicorn" of a vulnerability inside the Android operating system. More details were publicly disclosed at the BlackHat conference in early August — but not before headlines declaring that nearly a billion Android devices could potentially be taken over without their users even knowing it.
So what is "Stagefright"? And do you need to worry about it?
We're continuously updating this post as more information is released. Here's what we know, and what you need to know.
What is Stagefright?
"Stagefright" is the nickname given to a potential exploit that lives fairly deep inside the Android operating system itself. The gist is that a video sent via MMS (text message) could be theoretically used as an avenue of attack through the libStageFright mechanism (thus the "Stagefright" name), which helps Android process video files. Many text messaging apps — Google's Hangouts app was specifically mentioned — automatically process that video so it's ready for viewing as soon as you open the message, and so the attack theoretically could happen without you even knowing it.
Because libStageFright dates back to Android 2.2, hundreds of millions of phones contain this flawed library.
Aug. 17-18: Exploits remain?
Be an expert in 5 minutes
Get the latest news from Android Central, your trusted companion in the world of Android
Just as Google began rolling out updates for its Nexus line, the Exodus firm published a blog post snarkily saying that at least one exploit remained unpatched, implying that Google screwed up with the code. UK publication The Register, in a flouncily written piece, quotes an engineer from Rapid7 as saying the next fix will come in September's security update — part of the new monthly security patching process.
Google, for its part, has yet to publicly address this latest claim.
In the absence of any further details for this one, we're inclined to believe that at worse we're back where we started — that there are flaws in libStageFight, but that there are other layers of security that should mitigate the possibility of devices actually being exploited.
One Aug. 18. Trend Micro published a blog post on another flaw in libStageFright. It said it had no evidence of this exploit actually being used, and that Google published the patch to the Android Open Source Project on Aug. 1.
New Stagefright details as of Aug. 5
In conjunction with the BlackHat conference in Las Vegas — at which more details of the Stagefright vulnerability were publicly disclosed — Google addressed the situation specifically, with lead engineer for Android security Adrian Ludwig telling NPR that "currently, 90 percent of Android devices have a technology called ASLR enabled, which protects users from the issue."
This is very much at odds with the "900 million Android devices are vulnerable" line we have all read. While we aren't going to get into the midst of a war of words and pedantry over the numbers, what Ludwig was saying is that devices running Android 4.0 or higher — that's about 95 percent of all active devices with Google services — have protection against a buffer overflow attack built in.
ASLR (Address Space Layout Randomization) is a method that keeps an attacker from reliably finding the function he or she wants to try and exploit by random arrangement of memory address spaces of a process. ASLR has been enabled in the default Linux Kernel since June 2005, and was added to Android with Version 4.0 (Ice Cream Sandwich).
How's that for a mouthful?
What it means is that the key areas of a program or service that's running aren't put into the same place in RAM every time. Putting things into memory at random means any attacker has to guess where to look for the data they want to exploit.
This isn't a perfect fix, and while a general protection mechanism is good, we still need direct patches against known exploits when they arise. Google, Samsung (1), (2) and Alcatel have announced a direct patch for stagefright, and Sony, HTC and LG say they will be releasing update patches in August.
Who found this exploit?
The exploit was announced July 21 by mobile security firm Zimperium as part of an announcement for its annual party at the BlackHat conference. Yes, you read that right. This "Mother of all Android Vulnerabilities," as Zimperium puts it, was announced July 21 (a week before anyone decided to care, apparently), and just a few words the even bigger bombshell of "On the evening of August 6th, Zimperium will rock the Vegas party scene!" And you know it's going to be a rager because it's "our annual Vegas party for our favorite ninjas," completely with a rockin' hashtag and everything.
How widespread is this exploit?
Again, the number of devices with the flaw in the libStageFright library itself is pretty huge, because it's in the OS itself. But as noted by Google a number of times, there are other methods in place that should protect your device. Think of it as security in layers.
So should I worry about Stagefright or not?
The good news is that the researcher who discovered this flaw in Stagefright "does not believe that hackers out in the wild are exploiting it." So it's a very bad thing that apparently nobody's actually using against anyone, at least according to this one person. And, again, Google says if you're using Android 4.0 or above, you're probably going to be OK.
That doesn't mean it's not a bad potential exploit. It is. And it further highlights the difficulties of getting updates pushed out through the manufacturer and carrier ecosystem. On the other hand, it's a potential avenue for exploit that apparently has been around since Android 2.2 — or basically the past five years. That either makes you a ticking time bomb, or a benign cyst, depending on your point of view.
And for its part, Google in July reiterated to Android Central that there are multiple mechanisms in place to protect users.
What about updates to fix Stagefright?
We're going to need system updates to truly patch this. In its new "Android Security Group" in an Aug. 12 bulletin, Google issued a "Nexus security bulletin" detailing things from its end. There are details on multiple CVEs (Common Vulnerabilities and Exposures), including when partners were notified (as early as April 10, for one), which build of Android featured fixes (Android 5.1.1, build LMY48I) and any other mitigating factors (the aforementioned ASLR memory scheme).
Google also said it's updated its Hangouts and Messenger apps so that they don't automatically process video messages in the background "so that media is not automatically passed to mediaserver process."
The bad news is that most folks are doing to have to wait on the manufacturers and carriers to push out system updates. But, again — while we're talking something like 900 million vulnerable phones out there, we're also talking zero known cases of exploitation. Those are pretty good odds.
HTC has said updates from here on out will contain the fix. And CyanogenMod is incorporating them now as well.
Motorola says all of its current-generation phones — from the Moto E to the newest Moto X (and everything in between) will be patched, which code going to carriers starting Aug 10.
On Aug. 5, Google released new system images for the Nexus 4, Nexus 5, Nexus 6, Nexus 7, Nexus 9 and Nexus 10. Google also announced that it will release monthly security updates for the Nexus line for the Nexus line. (The second publicly released M Preview build appears to already be patched as well.)
And while he didn't name the Stagefright exploit by name, Google's Adrian Ludwig earlier on Google+ had already addressed exploits and security in general, again reminding us of the multiple layers that go into protecting users. He writes:
For more on how that works, read our Q&A on security with Google's Ludwig.
Stagefight detector apps
We don't really see the point in using a "detector" app to see if your phone is vulnerable to the Stagefright exploit. But if you must, there are some available.