Stagefright patch insufficient, leaving 950 million Android devices vulnerable
Fri 14 Aug 2015
A patch released by Google to address a vulnerability in Stagefright has been found to contain a bug that potential attackers could exploit. Google was informed of the vulnerability in April 2015, and then the news was reported publicly towards the end of July, followed by a talk on the subject at the Black Hat security conference.
Stagefright processes incoming text messages in the Android operating system, including video. The vulnerability, known as CVE-2015-3864, means that an attacker could send a malicious multimedia message (MMS) which would activate code whenever opened on – or even received by – an Android device from version 2.2 (or Froyo) onwards. This is estimated to affect a massive 950 million Android devices.
All the attacker would require would be the user’s mobile number, and the attack could potentially require no user interaction. The message could even be deleted before being seen, in which case all the user would see would be a notification.
The initial bug was found by security firm Zimperium zLabs’s Joshua Drake, and Google has subsequently released patches.
However, since then, security firm Exodus Intelligence’s Jordan Gruskovnjak provided proof of concept that an MP4 file could exploit a bug in one of the patches, requiring a new patch which to address the issue.
While Exodus notified Google on August 7, they received no reply to their request for a fix for the problem. As a result, they publicly released details of the bug on August 13th, citing Linus’s Law: “Given enough eyeballs, all bugs are shallow”, from the book The Cathedral and the Bazaar, by Eric S. Raymond.
Exodus also mentioned several other reasons, such as how widespread the vulnerability is, the vast amount of public attention that it’s received so far, and the fact that Google was initially notified of the flaw over 120 days ago, exceeding their 90-day disclosure deadline.
Exodus’ post has since been updated to reflect the fact that they are now working together with Zimperium so that Zimperium’s Stagefright Detector app can accurately detect this flaw.
Google said at the Black Hat conference that they would start releasing monthly Android security patches, in light of the Stagefright issue.