You’ve probably heard of the Stagefright Android vulnerability by now. For those unfamiliar, it is a vulnerability in the code of Android’s media library called libstagefright. The most common way to get the malware was through an MMS message that would let hackers use some components of a user’s phone, such as the cameras or even the microphones in addition to having access to their personal files. While MMS are being used with less frequency nowadays, it still represented a major threat, as the default settings on many apps that retrieve this kind of messages are programmed to do so automatically, so those who didn’t turn off this setting would potentially be at risk.
This threat really raised awareness from Google and many of their partners regarding the security situation of the Android operating system. They acted quickly to start patching their own devices, although many devices still haven’t gotten a fix. The process is a little complicated as sometimes there are many variants of a device and the updates must pass through the carrier’s approval. There were some carriers that even got to the point to block these kind of messages to ensure the security of their locked devices. Some of apps like Hangouts or Messenger were programmed to block the playback of the multimedia files contained in the MMS in the newest updates. Google and other companies have promised monthly updates for their devices in order to combat this and future threats.
It was reported that a flaw indexed as CVE-2015-3864 is immune to the current patches, so attackers can still get into someone’s phone. It was tested on a Nexus 5 with every available patch installed, and they still managed to get access to this device with the MP4 file generated by the aforementioned script. Yet, the exploit wouldn’t work on devices running Android 5.0 and above because of the new integer overflow mitigations. The attack code was released publicly on Wednesday, so now everyone can test it. This means that developers can help the companies to find a fix as soon as possible, sadly, it also means that it could be used for other purposes, so let’s hope that the right patches can be found soon to keep our devices secured.