What exactly is this Stagefright vulnerability?

The same day Google announced the name for the next release of Android, they also released a new set of fixes to address the Stagefright security gap. Even if you are already aware of Stagefright, stay tuned. You may find that there is more to it than you have heard about.

What is Stagefright?

Stagefright is the name of the media-processing brain behind the Android operating system. When a media file (such as MPEG4 or 3GPP) is received on the device, Stagefright immediately starts processing the file without prompting the user. The intention was to provide a better user experience by pre-processing video content ahead of time so that users can bypass heavy processing tasks when viewing the files.

What is the Stagefright Security Gap?

Due to a programming error called an overflow, specific data from the media file can get to areas where arbitrary code can be executed. Attackers can use this to run malicious code. This is analogous to an overflowing bathtub. Most of the water spills onto the floor and is easy to clean up. However, water may also splash on to other objects in the room, such as the book you are reading, and damage them. This is comparable to how malicious code from an overflow works.

Is My Device Affected?

Prior to version 4.1 (AKA Jelly Bean), Android had fewer protective measures in place for code that is being executed. Google has since added a randomized defense mechanism that makes it harder to pinpoint and inject malware into executable code. Below is a summary of the security impact from different versions.

Versions of Android that don’t have the latest patches installed

Ice Cream Sandwich ( 4.0.4 ) or earlierJelly Bean (4.1) to Lollipop (5.1.x)
High Risk: Malicious code can easily take over a device after a successful infection.Risk: Malicious code can easily cause devices to crash after a successful infection. There is still some risk of device takeover.

If you want to dive deeper into the technical aspects of Android security, see the list of security enhancements from Android Tamer.​

What Has Been Done So Far?

So What Now!?

So far we have not seen any major attacks from this vulnerability but it is only a matter of time. Proof of concept code is already “in the wild.” At the moment, the best protection is to keep your MMS “auto retrieve” option turned off. There are still risks when accessing media files that come from someone else and those files are especially risky if they come from unknown sources. We are seeing manufacturers and carriers respond to this security issue much more quickly. The challenge still remains to fully update all 900 million affected devices.

The best way to determine if your device is affected is to use the recently released app by Zimperium. This app, which is constantly updated, will determine whether your device has this vulnerability. Use extreme caution with apps that claim they can fix Stagefright or other vulnerabilities. AndroidPolice has a page to track different manufacturers’ plans to address Stagefright. We will continue to monitor development and update you with any important information that we uncover.