In July 2015, a security company called Zimperium announced that it had discovered a a vulnerability inside the Android operating system. Possible there are nearly a billion Android devices that could potentially controlled without being noticed by their users.
What is Stagefright?
Stagefright exploit lives very deep in Android operating system and its called libStageFright librart which is a mechanism used to send videos via MMS (text message). Many text messaging apps like Google’s Hangouts app are automatically processing videos when they are ready, so when you will open the app the video will be ready for viewer. It means that theoretically the attack can happen when user is not looking at the phone and you could even not notice it.
libStageFright dates back to Android 2.2, and it means that hundreds of millions of phones contain this library.
What is the Chance to have Stagefright on Your Android?
Gogole fast enough commented the Stagefrigh vulnerability at BlackHat conference in Las Vegas. The Andoid’s lead engineer Adria Ludwing specified that Android devices have a technology called ASLR enabled which protect users from this issue.
According to Ludwig the devices running Android 4.0 or higher are about 95 percent, and have the ASLR enabled which is a protection against overflow attack built in.
ASLR (Address Space Layout Randomization) keeps an attacker from reliably finding the function he tries and exploit by random arrangement of memory address spaces of a process. ASLR is enabled in the default Linux Kernel since June 2005, and is also enabled starting with Andoird 4.0 Ice Cream Sandwich.
What it means is that the key areas of a program or service that’s running aren’t put into the same place in RAM every time. Putting things into memory at random means any attacker has to guess where to look for the data they want to exploit.
This isn’t a perfect fix, and while a general protection mechanism is good, we still need direct patches against known exploits when they arise. Google, Samsung (1), (2) and Alcatel have announced a direct patch for stagefright, and Sony, HTC and LG say they will be releasing update patches in August.
Should You Worry About Stagefright or Not?
Researchers who found the exploit are sure that till now nobody tried it, also we have confirmation from Google that if we are using Android starting with version 4.0, we are completely safe.
This doesn’t mean that we are completely safe. What we have to do is to update our devices. Already manufacturers like LG, Samsung. HTC, Motorola, Google Nexus line devices and mobile carriers like AT&T will start to provide small updates as soon as possible, Cynanogen that will make your phone more secure from Stagefright exploit.
Google reiterated that there are multiple mechanisms to protect users. It is very difficult to use such exploits, also Android devices include an application sandbox designed to protect user data and other applications.
The bad thing is that there are about 900 million vulnerable devices that are using an older Android system that version 2.2. Anyway till now there were zero known cases of exploitation.
Users have to be more confident, as as soon as a security risk appears Google makes sure to release updates. Also we have to assume that most bugs aren’t exploitable and Android has done a lot of work to improve security and it is really really hard to exploit a bug.
Image Flickr: noticias seguridad