Stagefright (bug)

"Stagefright (library)" redirects here. For other uses, see Stage fright (disambiguation).

Logo of the Stagefright bug

Stagefright is a remotely exploitable software bug that affects versions 2.2 ("Froyo") and newer of the Android operating system, and allows an attacker to perform arbitrary operations on the victim device through remote code execution and privilege escalation.^[1] Security researchers demonstrate the bug with a proof of concept that sends specially crafted MMS messages to the victim device and in most cases requires no end-user actions upon message reception to succeed, while using the phone number as the only target information. The underlying attack vector exploits certain integer overflow vulnerabilities in the Android's core component called "Stagefright",^[2][3][a] which is a complex software library implemented in C++ as part of the Android Open Source Project (AOSP) and used as a backend engine for playing various multimedia formats such as MP4 files.^{[5][6][7][8][9]}

The Stagefright bug was discovered by Joshua Drake from the Zimperium security firm, and was publicly announced on July 27, 2015. Prior to the announcement, Drake reported the bug to Google in April 2015, which incorporated a related bugfix into its internal source code repositories two days after the report. In July 2015, Evgeny Legerov, a Moscow-based security researcher, announced that he found two similar heap overflow zero-day vulnerabilities in the Stagefright library, claiming that the library has been already exploited for a while.^[1][10] As of July 2015^[update], the full public disclosure of the bug is announced for the Black Hat USA computer security conference on August 5, 2015, and for the DEFCON 23 hacker convention on August 7, 2015.^[5][6][7][9] The bug has been provided with multiple CVE identifiers,^[b] which are collectively referred to as the Stagefright bug.^[11]

As of August 3, 2015^[update], only a few products have been actually patched against the bug: Blackphone's PrivatOS since its version 117, nightly releases of the CyanogenMod 12.0 and 12.1,^[12] Sprint's variant of the Samsung Galaxy Note 4,^[13] and Mozilla Firefox since its version 38^[14] (this web browser internally uses Android's Stagefright library).^[6][7][15] While Google maintains the Android's primary codebase, firmware updates for various Android devices are the responsibility of wireless carriers and original equipment manufacturers (OEMs). As a result, propagating patches to the actual devices often introduces long delays due to a large fragmentation between the manufacturers, device variants, Android versions, and various Android customizations performed by the manufacturers;^[16][17] furthermore, many older devices may never receive patched firmware at all.^[18] Thus, the nature of Stagefright bug highlights the technical and organisational difficulties associated with the propagation of Android patches.^[6][19]

Certain mitigations exist for unpatched devices, including disabling the automatic retrieval of MMS messages and blocking the reception of text messages from unknown senders; however, these mitigations are not supported by all MMS applications (Hangouts, for example, supports the former one). Further mitigation comes from some of the security features built into newer versions of Android that may help in making exploitation of the Stagefright bug more difficult; an example is the address space layout randomization (ASLR) feature that was introduced in Android 4.0 "Ice Cream Sandwich" and fully enabled in Android 4.1 "Jelly Bean".^{[1][2][6][20]} Thus, updating to the latest version of Android may help alleviate the issue, although as of July 28, 2015^[update] it is unknown whether the latest releases of Android 5.1 "Lollipop" include actual patches against the Stagefright bug.^[11][21]

On August 13 2015 another Stagefright vulnerability CVE-2015-3864 was published by Exodus Intelligence ^[22]. CyanogenMod team published a notice that they have incorporated patches for CVE-2015-3864 in CyanogemMod 12.1 source on August 13 2015 ^[23].

See also

• Android version history – a list and descriptions of the released versions of Android
• Phishing – the attempt to acquire sensitive information by masquerading as a trustworthy entity in an electronic communication

Notes

1. Internally, the library is referred to as libstagefright.^[4]
2. The assigned CVE identifiers are CVE-2015-1538, CVE-2015-1539, CVE-2015-3824, CVE-2015-3826, CVE-2015-3827, CVE-2015-3828, and CVE-2015-3829.^[11]

References

1. "How to Protect from StageFright Vulnerability". zimperium.com. July 30, 2015. Retrieved July 31, 2015.
2. Garret Wassermann (July 29, 2015). "Vulnerability Note VU#924951 – Android Stagefright contains multiple vulnerabilities". CERT. Retrieved July 31, 2015.
3. "Android Interfaces: Media". source.android.com. May 8, 2015. Retrieved July 28, 2015.
4. "platform/frameworks/av: media/libstagefright". android.googlesource.com. July 28, 2015. Retrieved July 31, 2015.
5. Michael Rundle (July 27, 2015). "'Stagefright' Android bug is the 'worst ever discovered'". Wired. Retrieved July 28, 2015. {{cite web}}: Italic or bold markup not allowed in: |publisher= (help)
6. Steven J. Vaughan-Nichols (July 27, 2015). "Stagefright: Just how scary is it for Android users?". ZDNet. Retrieved July 28, 2015.
7. Alex Hern (July 28, 2015). "Stagefright: new Android vulnerability dubbed 'heartbleed for mobile'". The Guardian. Retrieved July 29, 2015. {{cite web}}: Italic or bold markup not allowed in: |publisher= (help)
8. Mohit Kumar (July 27, 2015). "Simple Text Message to Hack Any Android Phone Remotely". thehackernews.com. Retrieved July 28, 2015.
9. "Experts Found a Unicorn in the Heart of Android". zimperium.com. July 27, 2015. Retrieved July 28, 2015.
10. Thomas Fox-Brewster (July 30, 2015). "Russian 'Zero Day' Hunter Has Android Stagefright Bugs Primed For One-Text Hacks". Forbes. Retrieved July 31, 2015. {{cite web}}: Italic or bold markup not allowed in: |publisher= (help)
11. Robert Hackett (July 28, 2015). "Stagefright: Everything you need to know about Google's Android megabug". Fortune. Retrieved July 29, 2015. {{cite web}}: Italic or bold markup not allowed in: |publisher= (help)
12. "CyanogenMod: Recent Stagefright issues". plus.google.com. July 27, 2015. Retrieved July 28, 2015.
13. Ryan Whitwam (August 3, 2015). "Sprint's Galaxy Note 4 Gets Android 5.1.1 Update With Stagefright Vulnerability Fix". androidpolice.com. Retrieved August 5, 2015.
14. "Buffer overflow and out-of-bounds read while parsing MP4 video metadata". mozilla.org. May 12, 2015. Retrieved July 28, 2015.
15. Thomas Fox-Brewster (July 27, 2015). "Stagefright: It Only Takes One Text To Hack 950 Million Android Phones". Forbes. Retrieved July 28, 2015. {{cite web}}: Italic or bold markup not allowed in: |publisher= (help)
16. Jamie Lendino (July 27, 2015). "950M phones at risk for 'Stagefright' text exploit thanks to Android fragmentation". extremetech.com. Retrieved July 31, 2015.
17. Jordan Minor (July 30, 2015). "There's (Almost) Nothing You Can Do About Stagefright". PC Magazine. Retrieved July 31, 2015. {{cite web}}: Italic or bold markup not allowed in: |publisher= (help)
18. Cooper Quintin (July 31, 2015). "StageFright: Android's Heart of Darkness". Electronic Frontier Foundation. Retrieved August 2, 2015.
19. Phil Nickinson (July 27, 2015). "The 'Stagefright' exploit: What you need to know". Android Central. Retrieved July 29, 2015.
20. Jon Oberheide (July 16, 2012). "Exploit Mitigations in Android Jelly Bean 4.1". duosecurity.com. Retrieved July 31, 2015.
21. Michael Crider (July 28, 2015). "Google Promises a Stagefright Security Update For Nexus Devices Starting Next Week". androidpolice.com. Retrieved July 31, 2015.
22. "Stagefright: Mission Accomplished?". blog.exodusintel.com. August 13, 2015. Retrieved August 15, 2015.
23. "More Stagefright". www.cyanogenmod.org. August 13, 2015. Retrieved August 15, 2015.

External links

• Stagefright demo by zLabs on YouTube, August 5, 2015
• Exploits database for the Android platform
• CVE security vulnerabilities for the Google Android
• Google's Android codebase patches against the Stagefright bug: patch #1, patch #2 and patch #3