Whatyouneed2know

What you need to know about Stagefright?

Jul 29, 2015 By Amit Ashbel

 

Let’s start with a temporary workaround to avoid becoming infected

  1. Open the Hangouts App

    settings

    Hangout App Settings

  2. Click the hamburger menu and select “settings”
  3. Select SMS
  4. Select Hangouts as your default SMS app
  5. Uncheck ‘Auto-retrieve MMS’

Now that we got that out of the way we can start talking about the Stagefright vulnerability itself.

What is Stagefright?

Stagefright is a new vulnerability which was found, reported and announced by Zimperium, an Israeli enterprise mobile security company. The vulnerability can infect a device by simply downloading an MMS message (which happens automatically in most cases). Once infected, the hacker has full control over the phone’s data.

Technicalities

The flaw was detected in Google’s open source media library code. The library’s name is Stagefright, hence the name of the vulnerability. The library Stagefright allows Android devices to convert media, including those from MMS messages.

More information about the Stagefright engine can be found here: http://source.android.com/devices/media.html

The Stagefright bug/vulnerability is based on multiple issues which were detected in the Android Stagefright library which can be found on almost all Android devices.

The list of bugs which created the vulnerabilities is:

  • CVE-2015-1538
  • CVE-2015-1539
  • CVE-2015-3824
  • CVE-2015-3826
  • CVE-2015-3827
  • CVE-2015-3828
  • CVE-2015-3829

At the time of this report, the CVE’s descriptions were still kept private.

 

Infecting the device is the real interesting point here. The Android device just needs to receive a MMS message. The user doesn’t have to open the message in order to get infected. Once the MMS has been received the device has been owned!

Any reason for me to care?

 

If you are an Android user there is 95% chance that you are vulnerable to the Stagefright vulnerability. Upon infection, complete access to the user’s phone data is available. That includes contact, camera, photos microphone. An infected device does not show any symptoms so you might stay completely in the dark while someone is snooping around your personal stuff.

 

What now?

 

First of all go back to the beginning of this post and follow the 5 simple steps!

 

Google has been notified about the vulnerability and the numerous bugs quite a while ago and after a couple of days introduced the fix to the software. That, however, does not mean we are safe. It means that all the different mobile-phone makers need to implement the fix in their versions of the Android OS and distribute a patch to their users. This may take some time, however most mobile phone companies have already stated that they are working on it while others have announced availability of a patch or have already addressed the issue a while ago when it was reported to Google.

 

The Checkmarx Angle

 

Checkmarx’s CxSAST for Mobile delivers unique code security analysis for Android, iOS and Windows applications. Checkmarx ensures and eliminates code vulnerabilities during the coding process rather than waiting for them to appear at a later stage. Mobile Developers are constantly introduced with new and complex security challenges. Application permissions, data input vectors, sensitive data storage, supporting multiple operating systems and providing frequent version releases, cross application communication and cross platform functionality increase the risk of introducing vulnerabilities during development.

 

Checkmarx’s CxSAST for Mobile (part of CxSAST) addresses these challenges and takes mobile static analysis to the next level.

 

It is clear by now that the Stagefright vulnerability was a result of one or more code vulnerabilities. It is also clear that these could have been detected at an earlier stage of the development and resolved at that stage. What is not yet clear is what the exact vulnerability is however that should become clear within the coming days after the full information about the CVEs reported are disclosed.

The following two tabs change content below.

Amit Ashbel

Cyber Security Evangelist at Checkmarx
Amit Ashbel has been with the security community for more than a decade where he has taken on multiple tasks and responsibilities, including technical and Senior Product lead positions. Amit adds valuable product knowledge including experience with a wide range of security platforms and familiarity with emerging threats. Amit also speaks at high profile events and conferences such as Blackhat, Defcon, OWASP, and others.

Stay Connected

Sign up today & never miss an update from the Checkmarx blog

Get a Checkmarx Free Demo Now

Interested in trying CxSAST on your own code? You can now use Checkmarx's solution to scan uncompiled / unbuilt source code in 18 coding and scripting languages and identify the vulnerable lines of code. CxSAST will even find the best-fix locations for you and suggest the best remediation techniques. Sign up for your FREE trial now.

Checkmarx is now offering you the opportunity to see how CxSAST identifies application-layer vulnerabilities in real-time. Our in-house security experts will run the scan and demonstrate how the solution's queries can be tweaked as per your specific needs and requirements. Fill in your details and we'll schedule a FREE live demo with you.