More than a billion mobile devices are affected by a set of two new critical vulnerabilities in Android's Stagefright code that can be exploited by an attacker to take complete control of a device, and as of Thursday patches are not available for users.
Disclosed by Zimperium researchers in July, the original Stagefright issue was several critical remote code execution vulnerabilities in Android's Stagefright code that could be exploited on an estimated 950 million devices by simply sending an MMS message with specially crafted media attached.
Although Google has since taken action to minimise the threat posed by the MMS message vector, this latest pair of vulnerabilities – identified again by Zimperium's Joshua Drake – is considered to be just as critical.
The two bugs manifest when processing specially crafted MP3 audio or MP4 video files, and altogether more than a billion Android devices are at risk, a Thursday post said.
One vulnerability is in ‘libutils' and it affects nearly every Android device since version 1.0 was released in 2008, the post said. The aforementioned bug could be triggered on devices running Android version 5.0 and higher using the second flaw, which is in ‘libstagefright.'
Drake, Zimperium zLabs vice president of platform research and exploitation, told SCMagazine.com in an email correspondence that the vulnerabilities allow remote arbitrary code execution, which enables taking control of the mediaserver process.
“This allows accessing several privileged subsystems and in some cases provides access to the system group,” Drake said. “Additionally, the attacker gains a foothold, from which they could conduct further local privilege escalation attacks and take complete control of the device.”
Since Google updated Hangouts and Messenger to remove the automatic processing of media received by MMS, Drake – who noted that Zimperium has not observed attacks in the wild – said that potential attackers will now have to rely on other exploitation vectors.
“A more likely attack vector at this point is via the Web browser,” Drake said. “An attacker can send a URL and if their target clicks it they can be compromised without any further user interaction. To increase impact an attacker could easily send the URL to a multitude of targets. Further, an on-path attacker could eliminate the need for user interaction using a man-in-the-middle (MITM) attack.”
According to a Google statement emailed to SCMagazine.com on Thursday, the issues reported by Drake will be included in the October Monthly Security Update for Android, which is scheduled to be released on 5 October.
On that upcoming date, the fix will be made in Android Open Source Project (AOSP) and patches for the vulnerabilities will roll out to Nexus users, the statement noted. Additionally, patches for issues in the October update were provided to partners on 10 September, and Google is working with OEMS and carriers to push updates as soon as possible.