News  Android
Stagefright is worse than you thought

Back from the dead with a vengance

This sounds just like a cheesy 80's horror flick where the villain "dies" at the end only to return even stronger in yet another sequel. It seems Stagefright, or more accurately the family of malware which exploits a vulnerability in Androids low-level media playback system of the same name, just won't lie down no matter how much you throw at it.

We wrote about this last year when we showed a video of it in action, and also, embarrasingly for Google, again when they screwed up a fix for it. Perhaps their difficulties back then are reflected in this new outbreak.

This variant of the Stagefright attack vector is called "Metaphor" and it is claimed vulnerable devices can be infected when they merely vist a specially crafted web page. As before, it's delivered in the form of a video file which the user doesn't even have to press play to activate since it will begin playing all by itself. Ouch.

Google has a headache

Stagefright is the multimedia component in Android, written in C++, which is a fundamental low level system service anything requiring media playback interacts with. It has to be open enough to allow content to be played which it hasn't seen before, yet secure enough to block malware embedded within it. The exploits work by carefully crafting a file, for example a video, so that it appears to be structured internally entirely correctly, and would begin playback accordingly, but the decoding of the file results in some extra malware being executed. The fact this malware is executed at such a low level is the problem, because it has access to a wider range of sensitive areas normally blocked off to regular user apps.

stagefright worse 700x400

Researchers at Israeli software firm NorthBit have claimed to have exploited Mataphor remotely, although it isn't the usual automated attack we're used to.

The attack is in 3 stages. First, the file containing the embedded malware is hosted on an innocent looking web page which the victim is lured towards visiting. This crashes Androids media server, forcing a reset, at which point JavaScript code on the same web page harvests some information from the devices internal setup and forwards it to the attackers remote server. Then, a bespoke video is created on the fly using this data and sent back - in effect, a custom attack for that specific device is launched, and it's this which contains the embedded malware.

The exploit is reputed to work on devices running Android 2.2 through to 4.0, 5.0 and 5.1; devices running Android 4.1 through to 4.4 do not appear to be at risk from this system. Google is has just released a developer preview of Android N - their headache is to ensure not only this exploit is closed but all future variants of it are too.

"I would be surprised if multiple professional hacking groups do not have working Stagefright exploits by now. Many devices out there are still vulnerable, so Zimperium has not published the second exploit in order to protect the ecosystem," Avraham, chairman of Zimperium, said.

“Approximately 36 percent of the 1.4 billion active Android phones and tablets run Android 5 or 5.1 and devices lacking the latest updates would be vulnerable”.