Stagefright is the rather unfortunate name given to a piece of multimedia code embedded into the Android operating system and designed as a media player, which was included back with version, 2.2 Gingerbread. It was made famous last year because an exploit was discovered that allowed an attacker to insert a piece of malicious code deep into an Android device to rapidly and silently gain control over various aspects of the device. The Stagefright exploit was activated when the device plays a short video clip, which could arrive via a multimedia message (MMS) or from a webpage. The issue was discovered in the spring but not reported until the summer, which gave Google time to patch the issue. Approximately a billion devices were potentially at risk of the exploit and as a part of the process, Google also announced it would start rolling out monthly software updates to Android. Several manufacturers have also jumped onto this and will be rolling out these same fixes to their devices, although so far only BlackBerry have consistently delivered the goods in this respect. It is not known if the discovery of the Stagefright vulnerability prompted Google to release monthly patches or if this project was already underway.
Perhaps because the Stagefright exploit was given a lot of publicity, or perhaps because it has been difficult to do, but when it comes to actual malware that utilises the Stagefright exploit these have been thin on the ground. However, a group of Israeli researchers have announced that they have now produced the first reliable Stagefright exploit. The team have produced a PDF document (see the source below) with how to build the exploit for yourself. The PDF is something of a hackers’ manual providing a wealth of information about our devices and of the many ways these can be exploited. Given that there remain millions of unpatched, unsupported devices still in service and still vulnerable to the Stagefright exploit, guides and how-tos when it comes to sidestepping Android’s built-in security systems will be interesting to all sorts of people. The guide details how simply visiting a malicious webpage is enough to compromise the device, as the site can push a media clip to the device. This is one reason why malware could potentially infect our devices from adverts.
The team’s way of hacking into a device involves three steps. First, a malicious webpage sends the device a video file that is designed to crash the mediaserver, causing it to be restarted and reset to its internal state. Once the mediaserver has been reset, JavaScript embedded on the page sends information from the device to the attacker’s server, which then generates a custom video file that is subsequently sent back to the device. The customised video file exploits the vulnerability in the device and sends more information back to the server, which builds a second custom video. It’s this one that contains the malware: when processed by the Stagefright mediaserver, it executes the malicious content on the victum’s device with escalated privileges.
Whilst there is some work to be done on the server side of things as it needs to build a custom video file designed to attack the particular device that is viewing the webpage, over time the process could almost certainly be streamlined. The author explains that with “further research it may be possible to lay aside all or some of the lookup tables,” which could be used to produce a generic exploit. And because users do not need to press play on an embedded MPEG4 file (the exploit is triggered when the browser fetches and parses the file, not when played), this means users may not know that their device is even under attack. The exploit is reputed to work on devices running Android 2.2 through to 4.0, 5.0 and 5.1; devices running Android 4.1 through to 4.4 do not appear to be at risk from this system. For more information, check out the embedded video below.
https://youtu.be/I507kD0zG6k