Experts Found a Unicorn in the Heart of Android

By:Zuk Avraham

Follow Zuk Avraham (@ihackbanme)Joshua Drake

Follow Joshua Drake (@jduck)Nikias Bassen

Follow Nikias Bassen (@pimskeks)

UPDATE:

Zimperium’s Mobile Threat Protection customers are safe from this threat, even without updating the device to the latest Android version. Companies that have reasons to believe that they are under active Stagefright attacks, should contact us ASAP at stagefright-urgent@zimperium.com Zimperium Research Labs (zLABS) will release a video later this week with a Stagefright RCE demonstration. Several large carriers requested that we delay the release of our working exploit. We agreed, given the gravity of the situation. Unfortunately, because the patches are open-source [1, 2], many researchers are already working on creating an exploit. We are planning to release our exploit on August 24th, 2015. However, if an exploit is publicly released or attacks are detected in the wild before that date, we will release ours for testing purposes at that time. Device vendors receive the patches months after they are released. To solve this issue, ZIMPERIUM provides a global platform to assist smartphone vendors and Carriers who wish to receive mobile OS patches from Zimperium directly. Join the Zimperium Handset Alliance through – https://groups.google.com/d/forum/zimperium-handset-alliances (use your vendor/telco email to be accepted to ZHA. Other requests will get automatically rejected). More than 17 of the largest vendors and carriers have already joined ZHA. You can read how to disable auto-fetching MMS on Nexus devices here ZHA partners already received proof-of-concept code that triggers the issues and the full set of Stagefright patches. For carrier specific tips – check this post Josh will present the full details of his research at Black Hat on August 5th or DEFCON on August 7th. We invite you to join us!

Gaining remote code execution privileges merely by having access to the mobile number? Enter Stagefright.

The targets for this kind of attack can be anyone from Prime ministers, govt. officials, company executives, security officers to IT managers.

Built on tens of gigabytes of source code from the Android Open Source Project (AOSP), the leading smartphone operating system carries a scary code in its heart. Named Stagefright, it is a media library that processes several popular media formats. Since media processing is often time-sensitive, the library is implemented in native code (C++) that is more prone to memory corruption than memory-safe languages like Java.

Zimperium zLabs VP of Platform Research and Exploitation, Joshua J. Drake (@jduck), dived into the deepest corners of Android code and discovered what we believe to be the worst Android vulnerabilities discovered to date. These issues in Stagefright code critically expose 95% of Android devices, an estimated 950 million devices. Drake’s research, to be presented at Black Hat USA on August 5 and DEF CON 23 on August 7 found multiple remote code execution vulnerabilities that can be exploited using various methods, the worst of which requires no user-interaction.

Attackers only need your mobile number, using which they can remotely execute code via a specially crafted media file delivered via MMS. A fully weaponized successful attack could even delete the message before you see it. You will only see the notification. These vulnerabilities are extremely dangerous because they do not require that the victim take any action to be exploited. Unlike spear-phishing, where the victim needs to open a PDF file or a link sent by the attacker, this vulnerability can be triggered while you sleep. Before you wake up, the attacker will remove any signs of the device being compromised and you will continue your day as usual – with a trojaned phone.

These screenshots were taken on a Nexus 5 (hammerhead) running the latest version, Android Lollipop 5.1.1.

Android and derivative devices after and including version 2.2 are vulnerable. Devices running Android versions prior to Jelly Bean (roughly 11% of devices) are at the worst risk due to inadequate exploit mitigations. If ‘Heartbleed’ from the PC era sends chill down your spine, this is much worse.

The Stagefright vulnerability was assigned with the following CVEs:

CVE -2015-1538

-2015-1538 CVE -2015-1539

-2015-1539 CVE -2015-3824

-2015-3824 CVE -2015-3826

-2015-3826 CVE -2015-3827

-2015-3827 CVE -2015-3828

-2015-3828 CVE -2015-3829

In this unique scenario, Zimperium not only reported the vulnerability to the Google teams, but also submitted patches. Considering severity of the problem, Google acted promptly and applied the patches to internal code branches within 48 hours, but unfortunately that’s only the beginning of what will be a very lengthy process of update deployment.

Remediation:

Zimperium’s advanced Enterprise Mobile Threat Protection solution, zIPS, protects its enterprise customers from Stagefright vulnerability.

For the mobile devices without zIPS protection, fixes for these issues require an OTA firmware update for all affected devices. Such updates for Android devices have traditionally taken a long time to reach users. Devices older than 18 months are unlikely to receive an update at all. We hope that members of the Android ecosystem will recognize the severity of these issues and take immediate action. In addition to fixing these individual issues, we hope they will also fix any business processes that prevent or slow the uptake of such fixes.

That said, besides Zimperium customers, two groups of users are already protected against all reported issues. Users of SilentCircle’s Blackphone have been protected against these issues as of the release of PrivatOS version 1.1.7. Mozilla’s Firefox, which is also affected, has included fixes for these issues since version 38. We applaud these vendors for prioritizing security and releasing patches for these issues quickly.

If you’re an end user or enterprise, contact your device manufacturer and/or carrier to ascertain whether or not your particular device has been updated the requisite patches. If you’re part of any of the various parties that ship derivative versions of Android that might be affected, we encourage you to reach out to obtain the patches from us directly.

Update: CERT Advisory can be found here http://www.kb.cert.org/vuls/id/924951

Acknowledgements

We would like to thank Google’s Android Security Team for taking these issues seriously, addressing them by including our patches in the Android Open Source Project, and coordinating with members of the Open Handset Alliance (OHA) to get the issues addressed in official Android compatible devices. Additionally, we’d like to thank Mozilla’s Firefox team and SilentCircle’s Blackphone team for shipping fixes in their respective software releases.

Connect with ZIMPERIUM for more updates. If you would like to protect your organization from advanced mobile threats, reach out to us here.