StageFright : The most vulnerable bug in Android OS

Yashwant VishwakarmaSQL DBA
CERTIFIED EXPERT
Published:
In this article we will discuss all things related to StageFright bug, the most vulnerable bug of android devices.
1.pngIntroduction:
If we talk about smartphones and android devices, then there are billions of billions users using android OS worldwide. 1.5 million android devices are getting activated daily including smartphones, tablets and android wearable. If you keep this figure in mind then there are billions of users using android OS. These figures show just how popular android is right now. People like this OS very much. But due to increase of users, security concerns are rising.
 
2.pngFigure1: showing number of daily activation of Android devices [] image credit: www.statista.com ]
 
The global market share of android devices is more than 82% worldwide. That means most of the smartphone users are using android OS. But with this increase of users, now mobile security is also at risk - a bug called StageFright has been detected, which places the mobile security of billions of android users at risk. This article describes all about StageFright.
 
3.pngFigure2: Showing global share of Android device in market [] image credit: www.statista.com ]
 
What is StageFright ?
StageFright is a bug in the android OS, through which an attacker can target your device and can perform arbitrary operations on the device through remote code execution and privilege.
 
Who discovered StageFright?
A top Android researcher Joshua Drake (@jduck), who works in Zimperium’s zLabs team, discovered the most vulnerable hole in Android OS, which was publicly announced for the first time on July 27, 2015. ‘Stagefright’. Zimperium’s team also calling it ‘Mother of all Android Vulnerabilities’, as it impacts 95% or 950 million of all Android devices and does not require any interaction with the victim.
 
Why does StageFright make Android users so vulnerable ?
Because a hacker can get into your android device without interaction with victim and can operate remotely or silently and you will never guess that you are the victim if you are not techie and smart enough. Here below is a StageFright demo video released from Zimperium’s zlabs by Joshua Drake. In this video Joshua Drake is showing how a hacker can get into your device and what type of privileges he/she can escalate.
 
See StageFright Demo Video
 
StageFright Versions:
There are two versions that exploit Android devices:
StageFright 1.0
StageFright 2.0
 
StageFright 1.0
A patch for StageFright 1.0 has been released from Google. StageFright 1.0 used auto retrieval mms option of messaging app s& chat apps to send malicious files into your Android device and silently get into it through the libStageFright mechanism (thus the "StageFright" name), which helps Android process mms files. Many text messaging apps — Google's Hangouts app was specifically mentioned — automatically process that video so it's ready for viewing as soon as you open the message, and so the attack theoretically could happen without you even knowing it. Google is saying that StageFright 1.0 is fixed. If I talk about my own smartphone (which is a Motorola G), I  got an update that includeda StageFright 1.0 patch to fix it. You can get an idea about StrageFright 1.0 from the below link:
 
Avast blog for StageFright 1.0
 
StageFright 2.0
According to Zimperium, a pair of recently discovered vulnerabilities make it possible for an hacker or attacker to get into Android device with a MP3 or MP4 like file, so when the metadata for that file is previewed by the OS, that file could execute malicious code via website or a human being in the middle of an attack built specifically for delivering these malformed files, this code could be executed without user interaction.
 

Zimperium claims to have confirmed remote execution, and brought this to Google's attention on August 15. In response, Google assigned CVE-2015-3876 and CVE-2015-6602 to the pair of reported issues and started working on a fix.
Is your Android device affected by StageFright 2.0
According to Zimperium

In one way or another, yes. CVE-2015-6602 refers to a vulnerability in libutils, and as Zimperium points out in their post announcing the discovery of this vulnerability it impacts every Android phone and tablet going back as far as Android 1.0. CVE-2015-3876 affects every Android 5.0 and higher phone or tablet, and could theoretically be delivered via website or man in the middle attack.
What CVE is ?
I am talking about CVE but what actually CVE is?
CVE stands for Common Vulnerabilities and Exposures (CVE) system which provides a reference-method for publicly known information-security vulnerabilities and exposures. 
 
CVE-ID Syntax
There was an old version of CVE syntax also which is little bit different from below defined syntax.
 
CVE prefix + Year + Arbitrary Digits [] New syntax implemented from Jan 1st, 2014 ]
 
So if someone says what is CVE-2015-6602, then we can easily describe it, that it is a threat ( Common Vulnerability Exposure ) which came in year 2015 having CVE-ID 6602. By putting CVE-2015-6602 on website: www.cvedetails.com you can get more information, resources and links for the particular CVE. I hope that now CVE-YYYY-NNNN is not a new thing for you. You are aware and you can answer if someone asks.
 
4.pngFigure3: Fetching CVE-2015-6602 details
 
The following figure is clearly showing the difference between old CVE syntax and new CVE syntax which is taken from www.mitre.org
 
5.png                                         Figure4: Showing differences between old and new CVE syntax
 
How to know if your Android device is affected by StageFright 2.0 vulnerability
Zimperium launched a tool, StageFright Detector, which tells us about StageFright vulnerability for our android device. You can download their app from Google Play Store.
 
My own experience about StageFright:
I was the victim of StageFright 1.0 prior to when the patch had arrived. I had frustrating experiences from StageFright, but it took me a while to realize that my smartphone get hacked by a smart hacker. I noticed that the behavior of my smartphone was changing -  it was behaving like there was some problem, so I took precautions like cleaning the mobile, changing the passwords, locking the screen etc. All these things were troubling me and I was trying to get these things rectified. After some days I read an article about StageFright where symptoms and precautions both were explained. At this point I realized that I was the victim of StageFright 1.0
 
You can’t believe the things which I noticed then:
1) When I was using my wifi a file which was just 100-200 KB automatically downloaded and I didn’t find it on the phone, but it was showing when I took a backup using CM Backup app. This is the first incident, where I suspected something was wrong but I ignored it.
 
2) Next, my phone was in my hand and I was reading messages in WhatsApp when suddenly the 2048 number puzzle game launched. I had installed in my phone, but I was not playing it. I tried to close it but not able to. It was like somebody had accessing your desktop and disturbing you by pressing backspace again and again while you are typing. I quickly powered-off my smartphone and turned it on again on after few minutes. Now I was afraid, and my suspicions clearly suggested that something was wrong. It was 10 am morning.
 
3) That night about 9 pm my mobile was lying on the bed, with the screen facing towards the bed and wifi was on. I was preparing dinner, then after finished dinner when I opened my mobile I found 649 pics were taken - there was notifications in the notification bar by File Explorer app. I am now more afraid.
 
4) Generally in my home I always leave my wifi-enabled phone on. After a night when I woke up early in the morning I found that my battery drained almost to 19% and in night it was 59%.
 
During these days I read the article by avast mobile security. I formatted my mobile changes all passwords from mail to wifi to screen lock and applock and I followed all steps which was described in avast blog.
 
5) After 20-25 days an update came for my device which was released by Google and has a patch for StageFright. I downloaded that and installed it. Now my mobile was working fine.

Unfortunately, now StageFright 2.0 has arrived, so be aware. Keep yourself from being a victim, follow the precautions which are given below under the heading “How to fight with StageFright 2.0 until the patch arrives.“ I had a very frustrating and annoying experience with StageFright 1.0.
 
Android was my favorite flavor for smartphones but after this incident I am losing my interest in Android devices.
 
How to fight with StageFright 2.0 until the patch arrives:
1) Try to not download mp3 or mp4 from your web browsers.
2) Avoid public networks.
3) Secure your wi-fi connection with strong passwords.
4) Pay attention to where you are browsing and what you are browsing.
5) Don't open mp3 or mp4 files from anyone you don't know.
 
OS which have fixed StageFright 2.0
Blackphone 2, is a smartphone in which the phone is fully encrypted to tighten the security. The company calls it Silent OS, which is derived from Android (which is open source).
 
Cyanogenmod OS have patched for StageFright 2.0
 
I am surprised by how little Google is doing, is Google seriously doing something to secure their OS like iPhone doing? iOS is much more secure than Android. iOS releases updates in timely fashion to make it secure and for better performance and keeping an eye on their store. I read the news 10-20 days ago that a Chinese app in iOS was trying to fetch information. Apple quickly blocked that app from their store. This is called secure environment with quick action.
References:
1) www.wikipedia.com
2) www.bgr.com
3) www.pcworld.com
4) www.androidcentral.com
5) www.statista.com
6) www.cvedetails.com
7) www.mitre.org

Final Words:
Although android devices covered more than 83% market globally, if security issues will go on continuously people will lose their interest in android devices. Billions of android devices are at risk. Privacy is also at risk. StageFright attackers can access your android device at root level and can do anything. Let’s see what will happen in coming months. Hoping better future for android device in terms of security.
 
Happy reading. Please share your views via comments.
10
6,069 Views
Yashwant VishwakarmaSQL DBA
CERTIFIED EXPERT

Comments (3)

CERTIFIED EXPERT
Distinguished Expert 2023

Commented:
There's a number of grammatical errors in the article, and I didn't find the opinions at the end of any value (you should add some supporting information if you're going to make a statement like "iOS is much more secure than Android"), but beyond that the article is informative about the Stagefright bug and risk it poses.
+1
CERTIFIED EXPERT

Author

Commented:
Hi Footech,
Thank you for your suggestion. I will keep it in mind and will try to make articles better in future.
Yes earlier grammatical mistakes was there but lherrou ( Expert Exchange Editor ) already fixed.
And yes I am not good at English but from all of your support I can learn better.

Have a great day ahead :)
CERTIFIED EXPERT
Distinguished Expert 2023

Commented:
I appreciate the effort that goes into making an article, especially in English when that is not your first language.

I don't think that "there are billions of billions users using android OS worldwide" (bold added by me for emphasis).
There aren't that many people in the world.  :)
The last statement I saw (claiming it came from a Google head) said that there are now one billion Android users.

Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.