Android Stagefright bug exploit sample code published

Roughly a month after the frightful Stagefright Android vulnerability was disclosed, Zimperium's security researchers have published sample code for exploiting the bug. As a refresher, Stagefright is a critical vulnerability in Android that allows attackers to perform remote code execution, and it affected 95% of Android handsets at the time it was reported. For the nitty-gritty, you can watch this Black Hat conference video.

Since the disclosure, Google has published updated versions of its Hangouts and Messaging apps, plugging the worst of the attack vectors—a booby-trapped MMS could provide root access to an attacker, oftentimes with no indication to the user that something funky was happening. Zimperium notes that MMSs are only one of over ten attack vectors, though, and it's created an app called Stagefright Detector so that users can check if and how their devices are affected. The security company's tests have also been integrated into the Android Compatibility Test Suite, which means all future devices must include the Stagefright patch to be deemed "Android Compatible."

Zimperium reported two sets of vulnerabilities to Google back in April and May, some of which carry a critical severity rating. Google integrated fixes for all of those disclosures in the main Android Open Source Project source tree, but it's still up to the OEMs and carriers to provide updated versions of their devices' firmware. The disclosure of sample exploit code should hopefully light a fire under their collective bottoms.

Tip: You can use the A/Z keys to walk threads.
View options

This discussion is now closed.