Android Stagefright bug exploit sample code published

— 9:17 AM on September 10, 2015

Roughly a month after the frightful Stagefright Android vulnerability was disclosed, Zimperium's security researchers have published sample code for exploiting the bug. As a refresher, Stagefright is a critical vulnerability in Android that allows attackers to perform remote code execution, and it affected 95% of Android handsets at the time it was reported. For the nitty-gritty, you can watch this Black Hat conference video.

Since the disclosure, Google has published updated versions of its Hangouts and Messaging apps, plugging the worst of the attack vectors—a booby-trapped MMS could provide root access to an attacker, oftentimes with no indication to the user that something funky was happening. Zimperium notes that MMSs are only one of over ten attack vectors, though, and it's created an app called Stagefright Detector so that users can check if and how their devices are affected. The security company's tests have also been integrated into the Android Compatibility Test Suite, which means all future devices must include the Stagefright patch to be deemed "Android Compatible."

Zimperium reported two sets of vulnerabilities to Google back in April and May, some of which carry a critical severity rating. Google integrated fixes for all of those disclosures in the main Android Open Source Project source tree, but it's still up to the OEMs and carriers to provide updated versions of their devices' firmware. The disclosure of sample exploit code should hopefully light a fire under their collective bottoms.

Like what we're doing? Pay what you want to support TR and get nifty extra features.
Top contributors
1. BIF - $340 2. Ryu Connor - $250 3. mbutrovich - $250
4. YetAnotherGeek2 - $200 5. End User - $150 6. Captain Ned - $100
7. Anonymous Gerbil - $100 8. Bill Door - $100 9. ericfulmer - $100
10. dkanter - $100
Tip: You can use the A/Z keys to walk threads.
View options

This discussion is now closed.