Stagefright attack, the Mother of all Android Vulnerabilities puts 950 million smartphones at risk

Over 95 percent of Android smartphones in circulation or roughly 950 million smartphones may be vulnerable to a unique but critical hack attack called Stagefright.

Joshua Drake from Zimperium Mobile Security discovered six + one critical vulnerabilities in the native media playback engine called Stagefright. He calls this weaknesses ‘Mother of all Android Vulnerabilities’.

Drake said that the vulnerabilities can be exploited by sending a single multimedia text message to an unpatched Android smartphone. While the exploit is deadly, in some cases, where phones parse the attack code prior to the message being opened, the exploits are silent and the user would have little chance of defending their data.

Stagefright is a native media playback tool used by Android and all these weaknesses reside in it. Drake states that they are all “remote code execution” bugs, allowing malicious hackers to infiltrate devices and exfiltrate private data.

According to Drake, all that the potential hacker needs to do is to send out the exploits to the would be mobile phone numbers. From there, they could send an exploit packaged in a Stagefright multimedia message (MMS), which would let them write code to the device and steal data from sections of the phone that can be reached with Stagefright’s permissions.

Once the vulnerability is exploited, the hackers can access almost anything including recording of audio and video, snooping on photos stored in SD cards. Even the humble Bluetooth radio can also be hacked via Stagefright.

Depending on the MMS application in use, the victim might never know they had even received a message.

The vulnerabilities are so critical that sending an exploit code to to the victim’s Google Hangouts would “instantaneously trigger the exploit even before the user can even look at the smartphone or before you even get the notification”.

Another interesting aspect of the exploit is that once the it has been delivered, the hacker can delete the message before the user had been alerted about it, making attacks completely silent.

Drake will give the full disclosure along with Proof of Concept at Def Con on 6th August. He stated to Forbes that he had reported about the bugs in April this year and Google has sent out the patches to its smartphone manufacturing partners.

Drake stated that a total of seven vulnerabilities had been sent to Google by 9th April, 2015 and Google had reported back to him that it had scheduled patches on May 8th 2015. Further, Google assured Drake that all future Android versions will be released pre-patched against these vulnerabilities.

However as is the case with any Android smartphone update, the smartphone manufacturers rarely pass on the patches to the end users of the smartphone. Particularly the smaller manufacturers who make localised Android smartphones. As such, it can safely be assumed that almost 950 million Android smartphones and tablets in circulation may be exploitable using the Stagefright vulnerability.

“All devices should be assumed to be vulnerable,” Drake told Forbes. Drake says that only Android phones below version 2.2 are not affected by this particular vulnerability.

“I’ve done a lot of testing on an Ice Cream Sandwich Galaxy Nexus… where the default MMS is the messaging application Messenger. That one does not trigger automatically but if you look at the MMS, it triggers, you don’t have to try to play the media or anything, you just have to look at it,” Drake added.

In an emailed statement sent to Forbes, Google thanked Drake for reporting the issues and supplying patches, noting its manufacturer partners should deploy in the coming weeks and months.

“Most Android devices, including all newer devices, have multiple technologies that are designed to make exploitation more difficult. Android devices also include an application sandbox designed to protect user data and other applications on the device,” a spokesperson said. The Google spokesperson reached out to Techworm and said that they will be pushing additional patches for Nexus devices next week before the commencement of DefCon 2015. The mail also states that Google had already issued fix to smartphone manufacturers, however the mail did not clarify which smartphone manufacturers had issued patches to the end users. The email says “This vulnerability was identified in a laboratory setting on older Android devices, and as far as we know, no one has been affected. As soon as we were made aware of the vulnerability we took immediate action and sent a fix to our partners to protect users. “As part of a regularly scheduled security update, we plan to push further safeguards to Nexus devices starting next week. And, we’ll be releasing it in open source when the details are made public by the researcher at BlackHat.”

The DefCon 2015 starts in the first week August 2015 and we expect many vulnerabilities to be made public during the course of the world’s premier hacking conference. We are also seeking Google’s comments on the newly revealed Silent Attack vulnerability by Trend MicroLabs, which makes nearly 500 million Android smartphones vulnerable.