Joshua Drake at Zimperium has disclosed today the Stagefright vulnerability set in Android — seven CVEs in libstagefright, the media-processing library (Zimperium blog post, July 27). The most serious of the issues, CVE-2015-1538, is a heap overflow in the MP4 parser that can be triggered by sending a specially crafted multimedia message. On default Android configurations, the message is processed by the messaging app — Hangouts in Drake's demonstration — before the user has any opportunity to interact with it. The processing happens automatically. By the time the recipient sees the notification, the implant is running.
This is the worst Android vulnerability I have read about. The combination — kernel-adjacent code execution, no user interaction, triggerable by phone number, ubiquitous across Android versions from 2.2 onward, present on essentially every Android device — is a worm-grade flaw. Drake's estimate is around 950 million affected devices. The patch landscape is fragmented in the way that Android patch landscapes always are: Google has merged fixes into AOSP, but the propagation through device manufacturers and carriers is going to be slow and incomplete. Many devices will never receive the patch.
The vulnerability exists in the C++ media parsing code that handles common multimedia formats. MP4 file parsing in particular has a series of integer overflow and heap corruption issues that allow controlled writes to memory adjacent to the parser's heap allocations. From there, with reasonable assumptions about ASLR and the layout of the mediaserver process, code execution follows. The mediaserver process runs with a specific set of permissions — not full root, but elevated — and includes access to the camera, microphone, network, and storage. The implication for an attacker is that the implant has direct access to most of what makes the phone interesting.
The MMS path is the headline because of the no-interaction property, but the same parsing flaws are reachable through other vectors. Web browsing — a malicious page serving a crafted MP4 — does the work without MMS at all. Email clients that auto-render multimedia. Other applications using the same parser. The MMS vector is the most concerning because it requires only the recipient's phone number. The web vector is the most likely to be operationally exploited at scale, because it does not require knowledge of phone numbers and can be combined with conventional drive-by ad-network distribution.
For the SOC and engagement work, the immediate piece is the BYOD population on customer networks. The vCISO clients with significant BYOD presence — Browne Jacobson and Towry both — have employees on Android phones whose patch state is, on a generous estimate, mixed. The advice for the next ninety days is the standard pre-patch mitigation: disable MMS auto-retrieval in the messaging app, which removes the no-interaction path; disable auto-play of multimedia in messaging apps that support that toggle; for the highest-risk users, recommend a temporary switch to non-Android devices until the patch propagates. The detection side is harder — the MMS payload is specifically crafted to evade signature-based detection at the carrier layer, and the network-side detection footprint is minimal.
The structural problem is the patching ecosystem. Google's response — pushing fixes into AOSP within hours of disclosure — is the right action and was rapid. The next step, getting those fixes to end-user devices, depends on the device manufacturer (Samsung, LG, HTC, and dozens of others) merging the AOSP changes into their own customised builds, testing those builds, releasing updates, and on the carriers (in the US, much less so in the UK and Europe) approving and distributing the updates. Each step has a delay. For older or low-end devices that the manufacturer no longer supports, no update will be released. That population will remain vulnerable indefinitely.
The carriers in the US have indicated they will work with manufacturers on accelerated patches; Verizon and AT&T have made statements; Samsung and LG have committed to monthly security updates going forward. Whether that monthly cadence actually materialises and persists is the question that will determine whether Stagefright becomes a one-off catalysing event or just another in the long pattern of unpatched Android flaws. I am pessimistic but willing to be wrong.
Drake will present at Black Hat next week. The presentation will, presumably, include the working exploits that Zimperium has held back from the public disclosure. Expect Black Hat week to produce the public exploit code, expect exploit-kit incorporation within days, and expect the lifetime of this vulnerability — measured by the number of vulnerable devices in the wild on any given day — to be measured in years.
The thing I keep returning to is the trust model. The Android messaging stack accepts media messages from arbitrary senders and processes them with parser code written in C++ on a device that the user keeps next to their bed. Every assumption in that sentence is a known operational risk that the ecosystem has, collectively, decided to live with. Stagefright is the demonstration of why that decision needs to be revisited. It will probably not be.