Stagefright is the name given to a group of
software bugs that affect versions from
2.2 "Froyo" up until
5.1.1 "Lollipop" of the
Android operating system
An operating system (OS) is system software that manages computer hardware, software resources, and provides common services for computer programs.
Time-sharing operating systems schedule tasks for efficient use of the system and may also i ...
exposing an estimated 950 million devices (95% of all Android devices) at the time.
The name is taken from the affected library, which among other things, is used to unpack
MMS messages. Exploitation of the bug allows an attacker to perform arbitrary operations on the victim's device through
remote code execution
In computer security, arbitrary code execution (ACE) is an attacker's ability to run any commands or code of the attacker's choice on a target machine or in a target process. An arbitrary code execution vulnerability is a security flaw in softwar ...
and
privilege escalation
Privilege escalation is the act of exploiting a bug, a design flaw, or a configuration oversight in an operating system or software application to gain elevated access to resources that are normally protected from an application or user. The re ...
.
Security" \n\n\nsecurity.txt is a proposed standard for websites' security information that is meant to allow security researchers to easily report security vulnerabilities. The standard prescribes a text file called \"security.txt\" in the well known locat ...
researchers demonstrate the bugs with a
proof of concept
Proof of concept (POC or PoC), also known as proof of principle, is a realization of a certain method or idea in order to demonstrate its feasibility, or a demonstration in principle with the aim of verifying that some concept or theory has prac ...
that sends specially crafted MMS messages to the victim device and in most cases requires no
end-user
In product development, an end user (sometimes end-user) is a person who ultimately uses or is intended to ultimately use a product. The end user stands in contrast to users who support or maintain the product, such as sysops, system administrato ...
actions upon message reception to succeed—the user doesn't have to do anything to 'accept' exploits using the bug; it happens in the background. A phone number is the only information needed to carry out the attack.
The underlying
attack vector
In computer security, an attack vector is a specific path, method, or scenario that can be exploited to break into an IT system, thus compromising its security. The term was derived from the corresponding notion of vector in biology. An attack ve ...
exploits certain
integer overflow
In computer programming, an integer overflow occurs when an arithmetic operation attempts to create a numeric value that is outside of the range that can be represented with a given number of digits – either higher than the maximum or lower ...
vulnerabilities
Vulnerability refers to "the quality or state of being exposed to the possibility of being attacked or harmed, either physically or emotionally."
A window of vulnerability (WOV) is a time frame within which defensive measures are diminished, com ...
in the Android core component called ,
which is a complex
software library
In computer science, a library is a collection of non-volatile resources used by computer programs, often for software development. These may include configuration data, documentation, help data, message templates, pre-written code and sub ...
implemented primarily in
C++
C++ (pronounced "C plus plus") is a high-level general-purpose programming language created by Danish computer scientist Bjarne Stroustrup as an extension of the C programming language, or "C with Classes". The language has expanded significan ...
as part of the
Android Open Source Project
Android is a mobile operating system based on a modified version of the Linux kernel and other open-source software, designed primarily for touchscreen mobile devices such as smartphones and tablets. Android is developed by a consortium of ...
(AOSP) and used as a backend engine for playing various multimedia formats such as
MP4 files.
The discovered bugs have been provided with multiple
Common Vulnerabilities and Exposures (CVE) identifiers, (the latter one has been assigned separately from the others), which are collectively referred to as the Stagefright bug.
History
The Stagefright bug was discovered by Joshua Drake from the
Zimperium security firm, and was publicly announced for the first time on July 27, 2015. Prior to the announcement, Drake reported the bug to
Google
Google LLC () is an American Multinational corporation, multinational technology company focusing on Search Engine, search engine technology, online advertising, cloud computing, software, computer software, quantum computing, e-commerce, ar ...
in April 2015, which incorporated a related
bugfix
A patch is a set of changes to a computer program or its supporting data designed to update, fix, or improve it. This includes fixing security vulnerabilities and other bugs, with such patches usually being called bugfixes or bug fixes. Patches ...
into its internal source code
repositories two days after the report.
In July 2015, Evgeny Legerov, a Moscow-based security researcher, announced that he had found at least two similar
heap overflow
A heap overflow, heap overrun, or heap smashing is a type of buffer overflow that occurs in the heap data area. Heap overflows are exploitable in a different manner to that of stack-based overflows. Memory on the heap is dynamically allocated at ...
zero-day vulnerabilities in the Stagefright library, claiming at the same time that the library has been already exploited for a while. Legerov also confirmed that the vulnerabilities he discovered become unexploitable by applying the
patches Drake submitted to Google.
The public
full disclosure of the Stagefright bug, presented by Drake, took place on August 5, 2015 at the
Black Hat
Black hat, blackhats, or black-hat refers to:
Arts, entertainment, and media
* Black hat (computer security), a hacker who violates computer security for little reason beyond maliciousness or for personal gain
* Black hat, part of black and whit ...
USA
computer security conference
A computer security conference is a convention for individuals involved in computer security. They generally serve as meeting places for system and network administrators, hackers, and computer security experts.
Events
Common activities at hacke ...
, and on August 7, 2015 at the
DEF CON 23
hacker
A hacker is a person skilled in information technology who uses their technical knowledge to achieve a goal or overcome an obstacle, within a computerized system by non-standard means. Though the term ''hacker'' has become associated in popu ...
convention.
Following the disclosure, on August 5, 2015, Zimperium publicly released the
source code
In computing, source code, or simply code, is any collection of code, with or without comments, written using a human-readable programming language, usually as plain text. The source code of a program is specially designed to facilitate the w ...
of a proof-of-concept exploit, actual patches for the Stagefright library (although the patches were already publicly available since early May 2015 in the
AOSP and other
open-source repositories
), and an Android application called "Stagefright detector" that tests whether an
Android device
Android is a mobile operating system based on a modified version of the Linux kernel and other open-source software, designed primarily for touchscreen mobile devices such as smartphones and tablets. Android is developed by a consortium of de ...
is vulnerable to the Stagefright bug.
On August 13, 2015, another Stagefright vulnerability, , was published by Exodus Intelligence.
This vulnerability was not mitigated by existing fixes of already known vulnerabilities. CyanogenMod team published a notice that patches for CVE-2015-3864 have been incorporated in CyanogenMod 12.1 source on August 13, 2015.
On October 1, 2015, Zimperium released details of further vulnerabilities, also known as Stagefright 2.0. This vulnerability affects specially crafted MP3 and MP4 files that execute their payload when played using the Android Media server. The vulnerability has been assigned identifier and was found in a core Android library called libutils; a component of Android that has existed since Android was first released. Android 1.5 through 5.1 are vulnerable to this new attack and it is estimated that one billion devices are affected.
Implications
While Google maintains the Android's primary
codebase
In software development, a codebase (or code base) is a collection of source code used to build a particular software system, application, or software component. Typically, a codebase includes only human-written source code files; thus, a codeb ...
and
firmware, updates for various Android devices are the responsibility of
wireless carrier
A mobile network operator (MNO), also known as a wireless service provider, wireless carrier, cellular company, or mobile network carrier, is a provider of wireless communications services that owns or controls all the elements necessary to sell ...
s and
original equipment manufacturer
An original equipment manufacturer (OEM) is generally perceived as a company that produces non-aftermarket parts and equipment that may be marketed by another manufacturer. It is a common industry term recognized and used by many professional or ...
s (OEMs). As a result, propagating patches to the actual devices often introduces long delays due to a large fragmentation between the manufacturers, device variants, Android versions, and various Android customizations performed by the manufacturers; furthermore, many older or lower cost devices may never receive patched firmware at all. Many of the unmaintained devices would need to be rooted, which violates the terms of many wireless contracts. Therefore, the nature of Stagefright bug highlights the technical and organizational difficulties associated with the propagation of Android patches.
As an attempt to address the delays and issues associated with the propagation of Android patches, on August 1, 2015 Zimperium formed the ''Zimperium Handset Alliance'' (ZHA) as an association of different parties interested in exchanging information and receiving timely updates on Android's security-related issues. Members of the ZHA also received source code of the Zimperium's proof-of-concept Stagefright exploit before it was publicly released. , 25 of the largest Android device OEMs and wireless carriers have joined the ZHA.
Mitigation
Certain
mitigations of the Stagefright bug exist for devices that run unpatched versions of Android, including disabling the automatic retrieval of MMS messages and blocking the reception of
text message
Text messaging, or texting, is the act of composing and sending electronic messages, typically consisting of alphabetic and numeric characters, between two or more users of mobile devices, desktops/laptops, or another type of compatible comput ...
s from unknown senders. However, these two mitigations are not supported in all MMS applications (the
Google Hangouts
Google Hangouts is a discontinued cross-platform instant messaging service developed by Google. It originally was a feature of Google+, becoming a standalone product in 2013, when Google also began integrating features from Google+ Messenger a ...
app, for example, only supports the former),
and they do not cover all feasible
attack vector
In computer security, an attack vector is a specific path, method, or scenario that can be exploited to break into an IT system, thus compromising its security. The term was derived from the corresponding notion of vector in biology. An attack ve ...
s that make exploitation of the Stagefright bug possible by other means, such as by opening or downloading a malicious multimedia file using the device's
web browser
A web browser is application software for accessing websites. When a user requests a web page from a particular website, the browser retrieves its files from a web server and then displays the page on the user's screen. Browsers are used o ...
.
At first it was thought that further mitigation could come from the
address space layout randomization
Address space layout randomization (ASLR) is a computer security technique involved in preventing exploitation of memory corruption vulnerabilities. In order to prevent an attacker from reliably jumping to, for example, a particular exploited f ...
(ASLR) feature that was introduced in
Android 4.0 "Ice Cream Sandwich", fully enabled in
Android 4.1 "Jelly Bean";
The version of
Android 5.1 "Lollipop" includes patches against the Stagefright bug.
Unfortunately, later results and exploits lik
Metaphorthat bypass ASLR were discovered in 2016.
As of Android 10, software
codec
A codec is a device or computer program that encodes or decodes a data stream or signal. ''Codec'' is a portmanteau of coder/decoder.
In electronic communications, an endec is a device that acts as both an encoder and a decoder on a signal or ...
s were moved to a
sandbox which effectively mitigates this threat for devices capable of running this version of the OS.
See also
*
Android version history
The version history of the Android mobile operating system began with the public release of the Android beta on November 5, 2007. The first commercial version, Android 1.0, was released on September 23, 2008. Android is developed by Google in w ...
a list and descriptions of the released versions of Android
* Another MMS
remote code execution
In computer security, arbitrary code execution (ACE) is an attacker's ability to run any commands or code of the attacker's choice on a target machine or in a target process. An arbitrary code execution vulnerability is a security flaw in softwar ...
vulnerability was found in 2020 for Samsung Android 8.0 (Oreo) to 10.x (Q) smartphones CV
2020-8899
References
External links
* , August 5, 2015
Exploits database for the Android platform* Google's Android codebase patches against the Stagefright bug
patch #1patch #2
an
patch #3
{{Android
2015 in computing
Android (operating system)
Computer security exploits
Software bugs