About a year after an Android exploit named Stagefright made headlines, Google researchers found another exploit that is just as dangerous.
Stagefright is a collection of exploits. It affects version 2.2 Froyo and later. It lets an attacker “perform arbitrary operations” on a person’s device. This is achieved through remote code execution and privilege escalation. The most common way to do this is by sending a victim a special MMS message. The attack affects the device even if the person doesn’t open it.
To fix it, Google rebuilt a large part of Android. Although Google’s security team issued a patch within a matter of weeks, more attacks came to Android using Stagefright as inspiration. Nougat comes with a rebuilt media playback system to protect against Stagefright exploits.
Stagefright works by targeting Android’s media server system. This is a function that apps use when they need to render audio or video. If you receive media over MMS or Google Hangouts, Android renders it before you even see a notification. However, there was a flaw in the way that the old media server preloaded the data. Over a certain size, integer variables would overwrite data in other parts of the phone.
Nougat changes media server from a single block into a series of steps. Each step has its own process and limited permissions. The process that extracts a video buffer is now separate from the one that plays the file. Android’s biggest problem is still getting these updates to users quickly enough.
The exploits that fall under the Stagefright umbrella include:
Google’s team of hackers – Project Zero – released a proof-of-concept hacking technique that can potentially be used on all Android phones. Researcher Mark Brand found a new bug in a part of the Android system called libstagefright. In a blog post, he calls it “an extraordinarily serious bug.” An attacker could use it for remote code execution, which means they can control your phone from a long distance.
Brand said the exploit works on several recent Android versions for the Nexus 5X. However, by changing the code, it’s possible in theory to use it even on Android N. The good news is that Google has already released a patch in Android’s most recent release. Due to Android fragmentation, though, it might take a while for you to get it, if at all. The quickest way to receive fast Android updates/patches is to buy Nexus devices.
Most people are still using old versions of Android. Zuk Avraham, founder and CTO of mobile security company Zimperium says that the new Stagefright affects 99.9% of Android devices. However, Google counters this by saying that the technique is just a “proof-of-concept for research purposes that could not be used in real world attacks without substantial modification and even further research,” because “it does not include a full exploit chain and is specific only to a subset of Nexus devices.”
Joe Sawyer, an independent Android security researcher, said that even though this new exploit is dangerous, it is also hard to use. It’s unlikely that criminals would use it, even government-sponsored hackers. Now that it’s in the public awareness, it’s easy to detect.