Operating system vulnerabilities are commonplace these days, and one of the most notorious examples is Stagefright. TechRepublic writer James Sanders named it one of the top five security vulnerabilities of the past year.
What makes Stagefright so formidable? It involves a flaw in a common Android video playback library (libstagefright) which permits a buffer overflow when playing MPEG4 video files. This overflow can then provide an attacker with ability to run malicious code using escalated privileges, and all it takes is a specially constructed multimedia text message to exploit the vulnerability.
The Stagefright discovery sent a shockwave through the entire mobile ecosystem last year. As delays in security updates made headlines, the Federal Trade Commission and Federal Communications Commission got involved. While Google has invested heavily in improving Android's security since then, patches do little good if they fail to reach end-users. Unfortunately, this is often the case thanks to Android's fragmented update process that relies on phone manufacturers and carriers to deploy updates.
Adding to this problem, the adoption rates of new versions of Android is very slow, with only 13.3% of devices running Android Marshmallow (6.0) since its release nearly one year ago. If this trend continues, Android Nougat will only be used on roughly the same number of devices this time next year. This concerns us because outdated devices will not benefit from a majority of the improvements Google has made in response to research related to multimedia processing.
I spoke with Joshua Drake, zLabs VP of Platform Research and Exploitation at Zimperium, who discovered the vulnerability about what's happened since then.
Do you know if anyone has exploited the Stagefright vulnerability?
"To our knowledge it has not been exploited in the wild."
What's particularly concerning about Stagefright?
"The most dangerous aspect is that these vulnerabilities do not require any user interaction to be exploited. Attackers only need a victim's phone number to remotely execute malicious code on a device via a specially crafted media file delivered via MMS. Unlike spear-phishing, where the victim needs to open a PDF file or a link sent by the attacker, this vulnerability can be triggered without user-interaction, even when a victim is away from their phone. Before they can tell anything has happened, the attacker is able to remove any signs of the device being compromised by simply deleting the infected message and the victim will continue their day as usual - with a trojaned phone."
To address the delays and issues associated with the propagation of Android patches, Zimperium formed the Zimperium Handset Alliance (ZHA). How is it working out and what advances has it made?
"The Zimperium Handset Alliance (ZHA) is an association of different parties interested in exchanging information and receiving timely updates on Android's security-related issues. Our goal in creating this coalition was to address the key concerns that arise in the smartphone security ecosystem. More than 25% of the largest Android device OEMs and wireless carriers have joined the ZHA and made great strides in improving the patch deployment process. However, the fact still remains that many users will never receive the updates they need to be fully protected."
Can you provide some specifics on how Google assisted with remediating Stagefright?
"After Stagefright was discovered, Google moved swiftly to provide a security patch and update its Hangouts and Messenger apps to remove automatic media processing. It also introduced monthly Android Security Bulletins, with other vendors (including Samsung and LG) soon following suit."
What are the current statistics involving Stagefright? Does it remain mitigated for the devices which were patched against it?
"Stagefright has impacted nearly 1 billion Android devices total and in the past year, Google has patched 107 libstagefright/mediaserver related vulnerabilities. But despite these patches, there are an alarming 850 million devices that are still vulnerable as of March 2016."
What are your top three best practices for mobile security?
"Our most important piece of advice is to always update your phone as soon as a software update becomes available. Too many people opt to ignore updates, which leaves their phone vulnerable to cyber criminals. Mobile device users should also avoid using public Wi-Fi and should adjust the settings on their smartphone so that it doesn't automatically connect to Wi-Fi networks. Finally, the default security settings on your smartphone are not enough. If you're serious about keeping your data safe from known and unknown threats, protect your device using a third-party security system."
Are there any other similar threats looming?
"As previously stated, since discovering the initial Stagefright vulnerability last year, Google has patched 107 libstagefright/mediaserver related vulnerabilities, meaning there are many similar threats at large which can be mitigated via these patches. But because of Android's fragmented security system, most users have not received the patches necessary to be protected and are still vulnerable to these threats."
Do you feel Android is more secure than iOS, or vice versa?
"I don't necessarily think one OS is more secure, but there is a perception that iOS is more secure and, I don't believe iOS is as secure as many people believe. The spotlight on Android has created the impression that iOS security is superior; however, Apple's ability to instantly push software updates is losing value. Updates are only effective if users take the time to install. The latest App Store numbers show that 29% of iOS users are running on old and outdated versions unnecessarily exposing themselves — and their company's sensitive data — to hackers."
Do you feel any manufacturers or carriers are more secure than others?
"Carriers and handset manufacturers that provide timely updates are more secure. The reverse also applies. For instance, Motorola recently stated they will be unable to keep up with monthly updates and will provide updates in larger, less timely batches."
Anything else to share with the readers?
"A year ago, we knew the Stagefright vulnerability was alarming, but we could have never anticipated the reach and impact it continues to have. While we still have more work to do, we're incredibly thankful to Google and to the many manufacturers and carriers who have taken steps to make our mobile ecosystem safer."
How to scan your device for the Stagefright vulnerability
How to reboot Android into safe mode for easy malware removal
Why haven't we seen the smartphone security apocalypse in iPhone and Android yet?
New MobileIron report details most common mobile threats and blacklisted apps
Scott Matteson is a senior systems administrator and freelance technical writer who also performs consulting work for small organizations. He resides in the Greater Boston area with his wife and three children.