Security researchers at Zimperium have released a working version of Stagefright exploit code.
Zimperium said it was publishing the software so that administrators and penetration testers can validate the effectiveness of the Android community's response to patching the security hole. Google is only just getting around to publishing a comprehensive fix for Stagefright, following a flawed attempt to fix the mega-vuln last month.
The Stagefright vulnerability (CVE-2015-1538) can allow remote code execution without user interaction on vulnerable Android devices. All an attacker would need to do is send a booby-trapped MMS message to a prospective mark's mobile phone.
Joshua J. Drake of Zimperium discovered the multiple critical flaws in Android's media library – libstagefright – that spawned what became known as the Stagefright vulnerability. Zimperium originally intended to publish exploit code validating its concerns during Black Hat last month, but held off for reasons discussed in a blog post here – which includes the exploit source.
Among these reasons is the availability of exploits independently developed by other researchers. Zimperium explained that it was making the working exploit available now for testing purposes. ®