'Millions' of Android mobes vulnerable to new Stagefright exploit

Paper lays out how to bypass Google's ASLR

30 Reg comments Got Tips?

A group of Israeli researchers reckon they've cracked the challenge of crafting a reliable exploit for the Stagefright vulnerability that emerged in Android last year.

In a paper [PDF] that's a cookbook on how to build the exploit for yourself, they suggest millions of unpatched Android devices are vulnerable to their design, which bypasses Android's security defenses. Visiting a hacker's webpage is enough to trigger a system compromise, we're told.

Since no hot piece of infosec action exists without a name these days, the paper, written by Hanan Be’er of North-Bit, dubs the implementation of the Stagefright exploit “Metaphor.”

Stagefright is the name of a software library used by Android to parse videos and other media; it can be exploited by a booby-trapped message or webpage to execute malicious code on vulnerable devices.

The paper describes a three-step process to reliably hijacking an Android device: the victim surfs to a malicious webpage that sends over a video file that crashes the operating system's mediaserver software to reset its internal state. Some JavaScript on the page waits for mediaserver to restart, and then sends information about the device over the internet to the attacker's private server.

This server then generates a custom video file that is sent to the device, which exploits Stagefright to reveal more information about the device's internal state. This information is beamed back by the JavaScript to the attacker's server, which uses the data to craft another video file that, when processed by Stagefright, starts executing a payload of malware embedded within the file on the victim's handheld. This code runs with all the privileges it needs to spy on the device's owner.

While North-Bit reckons its exploit design is reliable, you'll have to, as described above, do some server-side work to deploy Metaphor.

In particular, you need to gather information about where libc.so and libicui8n.so are loaded in memory, and the jemalloc configuration in the device. This is why the aforementioned JavaScript phones home data about a victim's device so the exploit can be tailored to attack the memory structures and firmware in that particular handset.

The exploit also needs a perform a heap spray to work, and that means the attacker may need to attempt exploitation multiple times on the target.

However, North-Bit says that with “further research it may be possible to lay aside all or some of the lookup tables” used to generate custom malicious video files – and that would lay the groundwork for a generic exploit.

The exploit specifically attacks the CVE-2015-3864 bug in a “fast, reliable and stealthy” way that bypasses ASLR – aka address space layout randomization, a mechanism that thwarts a lot of exploit writers.

It's also important to note that the victim doesn't have to press play on a rigged MPEG4 video file, because the bug is triggered when the web browser simply fetches and parses the file upon first seeing it.

"It was claimed [the bug] was impractical to exploit in­ the ­wild, mainly due to the implementation of exploit mitigations in newer Android versions, specifically ASLR," the paper states.

"The team here at North-Bit has built a working exploit affecting Android versions 2.2 ­to 4.0 and 5.0 to 5.1, while bypassing ASLR on versions 5.0 ­to 5.1 (as Android versions 2.2 to 4.0 do not implement ASLR)."

Google released security patches to kill Stagefright's vulnerabilities, although not every Android phone and tablet can receive and install them: some manufacturers and network carriers were in no rush to update older models, leaving potentially millions of gadgets at the mercy of exploits like the one built by North-Bit.

There's a vid demonstrating North-Bit's proof-of-concept exploit below. ®

Youtube Video

Updated to add

A Google spokesman has been in touch to say: "Android devices with a security patch level of October 1, 2015 or greater are protected because of a fix we released for this issue (CVE-2015-3864) last year. As always, we appreciate the security community's research efforts as they help further secure the Android ecosystem for everyone."

Keep Reading

New Google rules mandate Android 'Poundland' Edition, Go, for sub-2GB RAM phones once Android 11 is out

Chocolate Factory actively pushing lightweight OS on less powerful devices

A lot has changed since Android 11 was but a twinkle in Google's eye – so mobile OS has been delayed a month

'Extra time for you to test,' you lucky, lucky developers

Yet another twist for 2020: Google says Android 12 will make it easier to install alternative app stores

And, cough, cough, don't forget to use Google Play's billing system

Google promises another low-end Android effort as it buys into Indian mega-carrier Jio Platforms

$4.5bn splash turns out to be first installment in $10bn ‘Digitisation fund’ and development template for new products

Android 11 will let users stop device-makers from killing background apps, says Google

Users will be able to 'override ... restrictions' on phones and other kit, says engineering team

Android 11 lands with plenty more privacy preferences for Pixels and special Google friends first

Enterprise edition offers admins more ways to blend work and play

Commit to Android codebase suggests Google may strong-arm phone makers into using 'seamless' partitioned updates

Such a move could standardise deployment of new versions, rather than it being at the whim of OEMs

Android user chucks potential $10bn+ sueball at Google over 'spying', 'harvesting data'... this time to build supposed rival to TikTok called 'Shorts'

These are the class-action-suit-joining 'droids lawyers are looking for. (We'll get our coats)

Biting the hand that feeds IT © 1998–2020