Application Security , Mobility , Risk Management

Bigger Stagefright: Another Bug Found in Android

Plus, Google Is Shipping Flawed Fix, Researchers Warn
Bigger Stagefright: Another Bug Found in Android

There's more bad news for Android users. In the wake of the discovery of the serious Stagefright flaw, which affects an estimated 950 million devices, security researchers say they discovered yet another related flaw in the Android code base.

See Also: Protecting Your Assets Across Applications, Services and Tiers

In addition to that, warnings are also being sounded over Google's Stagefright patch for the Android code base, with one research group saying that the fix introduces new flaws that could be exploited by attackers to crash devices en masse.

All of the "Stagefright" flaws refer to bugs in Android's mediaserver program, and the latest vulnerability could be exploited to take control of a device, warns Wish Wu, a mobile researcher at security firm Trend Micro, which discovered the latest Stagefright bug and reported it to Google, supported by a proof-of-concept attack app, on June 19.

Wu, in a blog post, says Trend Micro waited until Google had shipped a fix before publicly revealing details of the flaw, and says there are no signs of related attacks in the wild.

Google recently patched all of the flaws in the Android Open Source Project. The flaws had collectively been assigned eight different CVE identifiers, referring to MITRE's common vulnerabilities and exposures list.

Google has started automatically updating recent Nexus devices - which it sells - on a monthly basis, so many Nexus users should automatically receive a related patch by September. But it's unclear when hundreds of millions of other Android devices from other manufacturers - all versions of Android 2.3 to 5.1.1 are reportedly at risk - might receive a fix, if ever.

The latest Stagefright flaw - designated as CVE-2015-3842 - involves a mediaserver component called AudioEffect, which Wu says could be targeted via a malicious app. "For an attack to begin, attackers convince the victim to install an app that doesn't require any required permissions, giving them a false sense of security," Wu says. From there, however, the attackers can design the app to cause a buffer overflow, which then allows them to run any code of their choosing on the device, with the same permissions as the mediaserver app.

"Since the mediaserver component deals with a lot of media-related tasks, including taking pictures, reading MP4 files, and recording videos, the privacy of the victim may be at risk," Wu says. "Devices with customized versions of Android but with no modification made to the mediaserver component are also affected."

Automatic Exploits

The discovery of the latest Stagefright flaw follows the discovery of the other issues by Joshua Drake, who's vice president of research and exploitation at Zimperium zLabs - part of security provider Zimperium Mobile Security - and co-author of "Android Hacker's Handbook."

In advance of his related Black Hat talk earlier this month, Drake in late July revealed that, in April, he had warned Google about multiple flaws he found in mediaserver that appear to be present on 95 percent of the world's estimated 1 billion Android systems. One of those flaws, he said, could be exploited via a malicious multimedia text message - and on about half of devices, requiring no user intervention - to seize control of vulnerable devices. Other flaws, meanwhile, could reportedly be used to send devices into endless reboots, or render devices silent.

Drake says he waited more than 90 days to give Google time to fix and ship a patch for the flaws, which is the amount of time Google now grants other vendors when it discovers flaws in their products (see Google's Psychological Patch Warfare).

In the wake of Drake previewing his research, the U.S. Computer Emergency Response Team immediately issued an emergency alert with instructions for how to partially mitigate the flaw. It also warned that vendors that have shipped devices that run the vulnerable versions of Android include Amazon, Barnes and Noble, Google, HTC, Huawei Technologies, Kyocera Communications, LG Electronics, Google's Motorola, Samsung Mobile and Sony.

Attention quickly focused on the open source Android ecosystem, sparking questions over whether OEMs and carriers that are slow to - or never - issue patches would indeed fix vulnerable devices that they had sold or provided under contract to customers. Drake's research also triggered sharp questions about whether as-yet-unpatched Android devices could still be deemed safe for enterprise use (see Android Stagefright: Exit Stage Left).

Android: Some Monthly Patches

Google, however, continues to downplay the risk that the Stagefright flaws pose to users. While the company did not respond to a request for comment, it has issued the following Stagefright-related statement: "Currently, over 90 percent of Android devices have a technology called ASLR enabled, which protects users from this issue," Google says, referring to address space layout randomization. That's designed to help block buffer-overflow attacks, which attackers can sometimes use to seize control of devices. "We've already sent the fix to our partners to protect users, and Nexus 4/5/6/7/9/10 and Nexus Player will get the OTA update in the September monthly security update."

One bit of good to come from Stagefright is also that Google - as well as Samsung and LG - have announced that they will begin issuing monthly over-the-air updates to patch and upgrade the Android devices they are currently supporting (see New Android 'Certifi-gate' Bug Found). That said, no promises have been made, at least by third-party OEMs that customize Android, about how quickly they will ship security updates after they get released to the Android Open Source Project.

Google's Flawed Stagefright Fix

As noted, however, Google's Stagefright fix also appears to be flawed. Zero-day vulnerability research firm Exodus Intelligence warned in an Aug. 13 blog post that Google's four-line Stagefright fix was faulty. The company reported that it had successfully crafted a proof-of-concept MP4 file that could exploit the flawed Stagefright fix to crash the device.

Zimperium's Drake believes that one of the Stagefright flaws - allowing attackers to compromise devices by sending malicious multimedia texts - is already being exploited in the wild, and Exodus Intelligence says it's likely that Google's flawed fix will soon also be exploited by hackers. "There has been an inordinate amount of attention drawn to the bug - we believe we are likely not the only ones to have noticed [that Google's fix] is flawed," Exodus Intelligence warns. "Others may have malicious intentions."

In addition, despite warning Google about the flaw in its Stagefright patch, Exodus Intelligence says that "Google is still currently distributing the faulty patch to Android devices via OTA updates."

Google did not respond to a request for comment about the Exodus Intelligence research.


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the Executive Editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, amongst other publications. He lives in Scotland.




Around the Network