Two new Stagefright vulnerabilities, affecting all released versions of Android, were disclosed by Joshua Drake,...
vice president of platform research and exploitation at Zimperium Inc., based in San Francisco. One vulnerability affects versions all the way back to Android 1.0, and one affects versions 5.x. Drake did the original research that showed Android Stagefright would affect Android versions 2.2 and newer.
According to Zimperium, the Android Stagefright vulnerabilities could allow an attacker to send a file that appears to be an MP3 or MP4, but will execute malicious code when the metadata for that file is previewed. If the file is provided via a malicious website, this code could be executed without the user ever knowing.
On Monday, Google announced that there were more than 1.4 billion Android devices in active use around the world, and this news would mean all of those devices are potentially at risk.
It is unclear though how much more dangerous Android Stagefright vulnerabilities are for users in light of these new disclosures. As Google noted when the original news came out, Android versions 4.1 and higher use address space layout randomization (ASLR), which greatly reduces the likelihood of a successful exploit, and Android versions 5.0 and higher make ASLR even stronger by requiring position-independent executable (PIE) for all dynamically linked executables.
Google's latest Android platform version numbers show 92% of all active Android devices use versions 4.1 and higher -- 21% are on Android 5.0 or higher -- meaning there are still approximately 112 million devices that are both at risk and do not have the added protection of ASLR or PIE.
Google said it has not received any reports of active exploitation of these vulnerabilities, but Tyler Shields, senior analyst at Forrester Research Inc. in Cambridge, Mass., said that ASLR can still be bypassed and it is very difficult to know if you have been a victim of exploitation with Stagefright.
"A well-formulated exploit would result in a backdoor on the targeted device, without the end user even knowing that the attack occurred," Shields said. "Compromise is relatively simple and can be sent in via multiple different inbound vectors. The exploit code is out there and available today, it's just a matter of choosing your target and firing."
Google said that it has been in contact with Zimperium throughout the process, and has since updated its Hangouts and Messenger apps, so they will not automatically pass media to vulnerable processes. Additionally, fixes for the new vulnerabilities will be released to Nexus users and the Android Open Source Project codebase as part of the next monthly security update due out on Oct. 5. Also, the patches were seeded to manufacturers as of Sept. 10, so they could get those fixes out to other Android users.
Shields said that the biggest problem for Google is not the exploit itself or the multiple vectors for attack, but that it is unknown when or if users will get the patches that Google has seeded to manufacturers.
"The problem is the time to remediation is not manageable. The supply chain that each patch has to go through before it hits the consumer is way too long, prone to push back and problems, and makes it nearly impossible for security to be quickly implemented," Shields said. "Google has got to get a better handle on the security patching process for all handsets, regardless of what the OEM vendors want. The security of the consumer is paramount."
Learn more about the fundamentals of Android app security
Set Android security controls
Take the quiz and see how much you know about Android security
How to prevent Android attacks