StageFright- A word of fear for Android devices?
Figure 1- Stage
Introduction
If we talk about smartphones and android devices, then there are billions of billions of users using Android OS worldwide. 1.5 million android devices are getting activated daily including smartphones, tablets, and android wearable. If you keep this figure in mind then there are billions of users using Android OS. These figures show just how popular Android is right now. People like this Operating System very much. But due to increase of users, security concerns are rising.
Figure 2- Rising
If we talk about the global market share of Android devices, then it is more than 82% worldwide. It means most of the smartphone users using Android OS. But with this increase of users nowadays, mobile security is also at risk because a bug called StageFright has been detected due to which mobile security of billions of android users is at risk and this article describes all about StageFright.
Figure 3- Showing global
What is StageFright?
According to Wikipedia.
“Stagefright is the collective name for a group of software bugs that affect versions2.2 ("Froyo") and newer of the Android operating system, allowing an attacker to perform arbitrary operations on the victim device through remote code execution and privilege."
Who discovered StageFright?
A top Android researcher Joshua Drake (@jduck), who is working in Zimperium’s zLabs team, discovered the most vulnerable bug in Android OS escalation and was publicly announced for the first time on July 27, 2015. Zimperium’s team is also calling it ‘Mother of all Android Vulnerabilities’, as it impacts 95% or 950 million of all Android devices and does not require any interaction with the victim.
Why StageFright is the most vulnerable bug?
It is most vulnerable because a hacker can get into your android device without interacting with the victim and can operate remotely or silently and you can never guess that you are the victim if you are not a techie and smart enough. Here below is a StageFright demo video released from Zimperium’s zlabs by Joshua Drake. In this video, Joshua Drake is showing how a hacker can get into your device and what type of privileges he/she can escalate.
See StageFright Demo Video
StageFright Versions
Two versions are their which exploits an Android device:
- StageFright 1.0
- StageFright 2.0
StageFright 1.0
StageFright 1.0 fixed patch has been released from Google. StageFright chooses auto retrieval MMS option of messaging app & chat apps to send the malicious files into your Android device and silently get into it through the libStageFright mechanism (thus the "Stagefright" name), which helps Android process video files. Many text messaging apps — Google's Hangouts app was specifically mentioned — automatically process that video so it's ready for viewing as soon as you open the message, and so the attack theoretically could happen without you even knowing it. Google is saying that StageFright 1.0 is fixed. If I talk about my smartphone which is Motorola G, it got an update in which StageFright 1.0 patch is also there to fix it.
You can get an idea about StrageFright 1.0 from the following link:
Avast blog for StageFright 1.0
StageFright 2.0
According to Zimperium, a pair of recently discovered vulnerabilities make it possible for an hacker or attacker to get into Android device with an MP3 or MP4 like file, so when the metadata for that file is previewed by the OS that file could execute malicious code via the website or a human being. In the middle of an attack it is built specifically for delivering these malformed files, this code could be executed without the user interaction.
“Zimperium claims to have confirmed remote execution and brought this to Google's attention on August 15. In response, Google assigned CVE-2015-3876 and CVE-2015-6602 to the pair of reported issues and started working on a fix.”
Is your Android device vulnerable for StageFright 2.0
According to Zimperium “In one way or another, yes. CVE-2015-6602 refers to a vulnerability in libutils, and as Zimperium points out in their post announcing the discovery of this vulnerability it impacts every Android phone and tablet going back as far as Android 1.0. CVE-2015-3876 affects every Android 5.0 and higher phone or tablet, and could theoretically be delivered via a website or man in the middle attack.”
What CVE is?
I am talking about CVE but what actually CVE is?
CVE stands for Common Vulnerabilities and Exposures (CVE) system provides a reference-method for publicly known information-security vulnerabilities and exposures.
CVE-ID Syntax
There was an old version of
CVE syntax also which is a little bit different from the below-defined syntax.
CVE prefix + Year + Arbitrary Digits [ New syntax implemented from Jan 1st, 2014 ]
So if someone says what is CVE-2015-6602, then we can easily describe it, that it is a threat ( Common Vulnerability Exposure ) which came in the year 2015 having CVE-ID 6602. By putting CVE-2015-6602 on the website: www.cvedetails.com you can get more information, resources and links for the particular CVE. I hope that now CVE-YYYY-NNNN is not a new thing for you. You are aware and you can answer if someone asks.
Figure 4- Fetching
The following figure is clearly showing the difference between old CVE syntax and new CVE syntax.
Figure 5- Showing
Image Source- mitre.org
How to know my Android device is affected by StageFright 2.0 vulnerability?
Zimperium launched a tool StageFright Detector which tells us about StageFright vulnerability for our android device. You download their app from
Google Play Store.
How to fight with StageFright 2.0 until the patch arrives?
- Try to not download mp3 or mp4 from your web-browsers.
- Avoid public networks.
- Secure your wi-fi connection with strong passwords.
- Pay attention that where and what you are browsing
OS which has fixed StageFright 2.0
Blackphone 2, is a smartphone in which the phone is encrypted for tightening the security. The company named it Silent OS which is also made from an Android open source.
Cyanogenmod OS have patched for StageFright 2.0
I am surprised what Google is doing, is Google seriously doing something to secure their OS like iPhone. iOS is much more secure than Android. iOS released updates in a timely fashion to make it secure and for better performance and keeping eye on their store. I read the news 10-20 days ago that a Chinese app in iOS was trying to do getting information. Apple quickly blocked that app from its store. This is called a secure environment with quick action.
Wrap Up
Although the android device covered more than 83% market globally if security issues will go on continuously people will lose their interest in the android device. Billions of Android devices are at risk. Privacy is also at risk. StageFright attacker can get access to your android device at root level and can do anything. Let’s see what will happen in the coming months. Hoping better future for android devices in terms of security.
Happy reading. Please share your views via comments.