Stagefright" media playback engine

There's a scary-sounding story going around this morning about the "worst Android vulnerability in the mobile OS history!" (Exclamation point theirs, not ours.) The gist is that malware could be embedded in a video, which theoretically could be exploited without you doing a single thing. And, oh, just about every Android phone is vulnerable.

So should you worry? Let's discuss.

What is it?

Details are mostly being withheld publicly until the Black Hat conference next week in Las Vegas, but the gist is that malware theoretically could be embedded in a video file. And that video file could then be sent via MMS (text message) to your phone. The exploit comes into play with Google's (now regrettably named) "Stagefright" media playback engine, which was introduced in Android 2.2. And if you use a text messaging app that goes ahead and prepares that file for you for viewing — as Google Hangouts does, according to the example — your phone is potentially vulnerable, should a rogue video be processed.

Who found this exploit?

The exploit was announced July 21 by mobile security firm Zimperium as part of an announcement for its annual party at the BlackHat conference. Yes, you read that right. This "Mother of all Android Vulnerabilities," as Zimperium puts it, wasannounced July 21 (a week before anyone decided to care, apparently), and just a few words the even bigger bombshell of "On the evening of August 6th, Zimperium will rock the Vegas party scene!" And you know it's going to be a rager because it's "our annual Vegas party for our favorite ninjas," completely with a rockin' hashtag and everything.
So, ya know, it's serious. Or something.

How widespread is this exploit?

The short answer is we don't really know. Any exploit that potentially affects any device back to Android 2.2 is absolutely no bueno. The Stagefright media engine is deep down in the Android OS. You don't want to see anything exploiting it. Zimperium apparently alerted Google in April and May, proposed patches, and Google accepted them. What we don't know is whether the fix has been pushed to to Google's phones (the Nexus line), or if any manufacturers have pushed out the fix on their end. (We wouldn't put money on it, though.)
The good news is that the researcher who discovered this flaw in Stagefright "does not believe that hackers out in the wild are exploiting it." So it's a very bad thing that apparently nobody's actually using against anyone, at least according to this one person.

So should I worry or not?

Make no mistake about it: This is a bad exploit. And it further highlights the difficulties of getting updates pushed out through the manufacturer and carrier ecosystem. On the other hand, it's a potential avenue for exploit that apparently has been around since Android 2.2 — or basically the past five years. That either makes you a ticking time bomb, or a benign cyst, depending on your point of view.
And for its part, Google told Android Centralthat there are multiple mechanisms in place to protect users.
"We thank Joshua Drake for his contributions. The security of Android users is extremely important to us and so we responded quickly and patches have already been provided to partners that can be applied to any device.
Most Android devices, including all newer devices, have multiple technologies that are designed to make exploitation more difficult. Android devices also include an application sandbox designed to protect user data and other applications on the device".
For more on how that works, read our Q&A on security with Google's Adrian Ludwig.
This is an exploit that needs to be fixed, sooner rather than later — if it hasn't been already. But it's not one that's going to keep us up at night. There are a lot of unknowns, and unfortunately they're being ignored for the sake of scary-sounding storytelling.

No comments

Powered by Blogger.