Google Hacker Finds Way To Exploit Yet Another ‘Stagefright’ Bug

One year later, Stagefright still leaves some Android phones vulnerable to hacks.

Sep 9 2016, 11:00am

Image: Eric/Flickr

More than a year after the original discovery of the infamous Android bugs known as Stagefright, hackers keep finding similar flaws. On Wednesday, Google's own elite team of hackers released a proof-of-concept hacking technique that some believe could be used against practically all Android phones.

Last summer, a security researcher found that a series of bugs in a core part of the Android operating system could be abused to hack users with a simple multimedia message, potentially giving hackers full control of the phone before the target even saw the message notification. The bugs came to be known as Stagefright, and other security researchers and hackers soon found other ways to exploit them.

Stagefright was a watershed moment in the history of Android security. It pushed Google to implement a monthly update cycle in an attempt to improve Android's biggest security flaw, the fact that some critical fixes depend on the whims of phone manufacturers and not Google. Thanks to the discovery of Stagefright, Android security has overall improved—provided your phone gets patches, of course—but Android still has a long way to go.

Read More: Goodbye, Android

Google Project Zero researcher Mark Brand recently found a new bug in a part of Android's operating system known as libstagefright (hence the original Stagefright name), "deep in the bowels of the usermode Android system," as he put it in a blog post published on Wednesday.

Brand called it "an extremely serious bug," because it can be leveraged to achieve "remote code execution," hacker lingo for obtaining control of a phone from afar. The researcher detailed how he found the bug, and also released code so that others can exploit it too. Brand noted that his exploit works "on several recent Android versions for the Nexus 5x," but also added that with some more work it would be possible to use it even on the new Android Nougat.

Google called the bug "a critical security vulnerability"

The good news is that Google fixed the bug in Android's most recent release, where the company called the bug "a critical security vulnerability" that can be exploited "through multiple methods such as email, web browsing, and MMS when processing media files."

The bad news, as usual, is that unless you are among the lucky few who get regular Android updates (which essentially means you own a Google Nexus phone), you are, in theory, vulnerable. Zuk Avraham, the founder and CTO of mobile security firm Zimperium, claimed that this bug affects 99.9% of all devices, given that most people still use old Android versions, and that malicious hackers could use the technique detailed by Brand in the real world.

"This is really big," Avraham told Motherboard in an online chat, adding that he's "100%" certain that "this or similar Stagefright/Mediaserver exploits are used in the wild in targeted attacks."

A Google spokesperson, however, countered that Brand's hacking technique is just a "proof-of-concept for research purposes that could not be used in real world attacks without substantial modification and even further research," because "it does not include a full exploit chain and is specific only to a subset of Nexus devices."

Jon Sawyer, an independent researcher who specializes in Android security said that while this is a "serious" vulnerability, it's also "reasonably complex" to exploit, so it's unlikely that cybercriminals with "run of the mill malware" will use it. Sawyer is skeptical that even targeted attacks from government hackers will leverage it, given that at this point it's a public vulnerability and using it would risk making the attack more likely to be caught or detected.

In theory, however, the exploit that Brand released could be repurposed to target other versions of Android, according to Alberto Pelliccione, a former Hacking Team employee who developed the company's Android malware.

"It's not trivial, but someone whose work is to develop exploits and has studied Stagefright could do it in a few days, less than a week, for sure," Pelliccione, who now runs a defensive security company called ReaQta, told Motherboard, adding that repurposing the exploit for Nougat would be much harder.

The chances that someone targets you specifically with this exploit are low, but, as usual, if you can update your Android phone, please do it and download Nougat. If you have an old phone that's not getting security updates, you might want to invest in a new phone.

Want more Motherboard in your life? Then sign up for our daily newsletter.