Even though a year has passed since the notorious Stagefright Android flaws were discovered, hackers keep uncovering similar bugs. Three days ago, on September 7th, Google’s own elite team of hackers a proof-of-concept hacking technique which is believed to be able to target all Android running devices.
Last summer a security researcher found the Stagefright set of bugs in a core part of the Android OS. Leveraging on them, crooks were able to pwn a user`s device with just a simple multimedia messages and the attack doesn’t even require the victim to see the message first. Since this discovery, other hackers and experts also found different ways to take advantage of the flaws.
The Stagefright discovery was a turning point for Android`s security as, because of it, Google decided to apply a monthly update cycle in an attempt to improve Android’s biggest security flaw. And it worked, sort of. The Android security has overall improved, providing patches and etc., but there are more stuff that need to be done.
Mark Brand, a Google Project Zero researcher, has recently stumbled across a new flaw in the Android`s OS, called Libstagefright. As Brant says in a blog post from Wednesday, he found it “deep in the bowels of the usermode Android system”. The researcher refers to it as “an extremely serious bug” because it can be abused to achieve “remote code execution” hacker lingo for obtaining control of a phone from a distance.
The exploit works “on several recent Android versions for the Nexus 5x”, as the researchers say but he didn’t completely leave out the possibility of it being used on newer Android Nougat as well. Brand didn’t only explain in details how he had found the flaw, but he also released code so that other experts could exploit it as well. Fortunately, with Android`s latest release, the bug, called by Google “a critical security vulnerability” is no longer a problem.
However, there is bad news as well. If you don’t get regular Android updates, (meaning you own a Google Nexus phone), you are still at risk. According to the founder and CTO of mobile security firm Zimperium, Zuk Avraham, 99.9% of all devices are affected by the bug due to the fact the majority is still using older Android versions and the attack can be used in the real world.
“This is really big.” – Avraham told Motherboard in an online chat, adding that he’s “100%” certain that “this or similar Stagefright/Mediaserver exploits are used in the wild in targeted attacks.”
On the other hand, a Google spokesperson said that the technique is just a “proof-of-concept for research purposes that could not be used in real world attacks without substantial modification and even further research” as “it does not include a full exploit chain and is specific only to a subset of Nexus devices.”
Jon Sawyer, an independent security expert specializing in Android security, agreed that the flaw is very serious but he thinks of it as very difficult to exploit. As he says, it is not likely that crooks with “run of the mill malware” will use it.
Furthermore, given the fact that this is a public vulnerability still under analyzation, which makes it easier to be detected, Sawyer doesn’t think any crooks would risk it. However, to Alberto Pelliccione, a former Hacking Team employee who developed the company’s Android malware, thinks the exploit could be repurposed to hit other Android`s versions.
“It’s not trivial, but someone whose work is to develop exploits and has studied Stagefright could do it in a few days, less than a week, for sure.” – Pelliccione, who now runs a defensive security company called ReaQta, told Motherboard, adding that repurposing the exploit for Nougat would be much harder.
Even though the chanced of getting attacked by this exploit are slim, users should still keep their Androids up to date by downloading Nougat.
