A vulnerability in the Stagefright media library used in Android remains unpatched in 95 percent of devices months after first being reported by Zimperium.
Security firm Zimperium today is publicly disclosing a flaw in Google's Android mobile operating system that could expose 950 million users to risk. The vulnerability is found in the Android Stagefright media library, which is a common element in Android versions 2.2 and higher.
Zimperium zLabs Vice President of Platform Research and Exploitation Joshua Drake will detail the complete vulnerability in a talk
at the Black Hat USA conference on Aug. 5.
"When you send an MMS [Multimedia Messaging Service] message to an Android user, it is automatically processed with the Stagefright media library," Drake told eWEEK
. "It's written in native code, so it's a little more prone to memory errors."
Drake said that he performed some fuzz testing on Stagefright and was able to trigger a number of crashes. When he looked into the crashes, he discovered a number of weaknesses in Stagefright.
"The thing that scares me the most about the Stagefright code is that Android is very promiscuous about invoking it with untrusted data," Drake said. "So, for example, if I send a link for a video file, it will download and then Android will process the data automatically with the Stagefright code, without any additional notification or user interaction."
Drake said the flaws in large part are integer overflows that lead to potentially exploitable memory buffer overflow conditions.
Drake is a well-known contributor in the open-source Metasploit penetration testing framework community, which is often the first place that weaponizable exploits show up as publicly available proof of concept code. Drake said he has been working on test cases to demonstrate the vulnerability, though nothing has been submitted to Metasploit yet.
"Right now what I have is an exploit that will send a series of MMS messages, and the exploit will keep trying until it gets shell access on the target," he said.
With shell access, an attacker could do any number of things on a vulnerable device. For example, the Stagefright exploit could potentially enable an attacker to get full access to all audio streams and Bluetooth administration access on the device, he said. An attacker could also get access to the camera as well as Internet access on the vulnerable device.
Drake said he sent Google patches for two sets of flaws—the first set of patches was sent in April and the second in May. In total, the vulnerabilities are identified by seven different CVE identifiers and were patched in the internal branches of Android within the first 48 hours of being received, he added.
"Google took the issues very seriously, which I'm very happy about," Drake said. "The problem is, however, that it takes a very long time after the initial 48 hours for the patched code to be pushed to any consumer devices."
Some of the issues are fixed on the Google Nexus 6 smartphone, while other Android devices have yet to be patched, according to Drake. He emphasized that the problem of Android patching is even worse, since the only devices that might get a patch for the flaws are those that are still supported by vendors. And, in Drake's estimation, supported Android devices only make up 20 percent of the Android devices that are in use.
The issue of unsupported Android devices for which there are no patches is not a new one, and it was also highlighted
by Jeff Forristal, CTO of mobile security vendor Bluebox Security, earlier this year. Forristal told eWEEK
at the time that flaws that he first reported at Black Hat 2013 and 2014 still remain unpatched on many Android devices.
Drake suggests that Android users upgrade their devices to more recent releases that are supported by vendors.
"People on devices older than Android Lollipop, for example, are already not supported, and they are probably at risk from hundreds of vulnerabilities," he said.
Sean Michael Kerner is a senior editor at
InternetNews.com. Follow him on Twitter @TechJournalist.