Security Experts:

Android Stagefright Exploit Released

Enterprise mobile security firm Zimperium has published an exploit for one of the most critical Android Stagefright vulnerabilities disclosed this summer.

The existence of several serious vulnerabilities in Android’s libstagefright media library was brought to light in July by Zimperium. Experts initially estimated that the vulnerabilities, which affect all Android versions since 2.2, impacted roughly 950 million devices.

After the security firm’s initial disclosure of the bugs, several other researchers reported uncovering libstagefright and other mediaserver flaws.

The list of CVE identifiers assigned to Stagefright vulnerabilities includes CVE-2015-1538, CVE-2015-1539, CVE-2015-3824, CVE-2015-3826, CVE-2015-3827, CVE-2015-3828, CVE-2015-3864 and CVE-2015-3829.

Google and other affected vendors released patches and Zimperium published a Stagefright detector app to help Android users determine if their devices are vulnerable.

The security firm announced on Wednesday that it has released a proof-of-concept exploit designed to show that CVE-2015-1538 can be exploited for remote code execution without user interaction. The exploit, available as a Python script, can be used by administrators, security teams and pentesters to determine if systems remain vulnerable or not, Zimperium said.

“This is one of the most critical vulnerabilities we reported in the Stagefright library. The expected result of the exploit is a reverse shell as the media user,” Zimperium explained in a blog post. “As detailed in Joshua Drake’s Black Hat and DEFCON presentations, this user has access to quite a few groups such as inet, audio, camera, and mediadrm. These groups allow an attacker to take pictures or listen to the microphone remotely without exploiting additional vulnerabilities.”

The company has pointed out that the exploit has only been tested on a Nexus device running Android 4.0.4 and it’s not 100 percent reliable by itself.

Shortly after the existence of the Stagefright vulnerabilities came to light, Google announced its intention to release monthly security updates for its Nexus devices. The August updates addressed many of the Stagefright flaws, but researchers soon discovered that the patch for CVE-2015-3824 was flawed.

Google has assigned CVE-2015-3864 to the new issue, which the company is expected to fix with the next round of updates.

The Stagefright vulnerabilities have had a negative impact on the already bad security reputation of the Android ecosystem. That is why several device vendors, including Samsung, LG and Motorola, have promised to step up their game and release regular security updates to ensure that users are protected.

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.