Stagefright was one of the biggest and most worrying security vulnerabilities to be discovered in Android for quite some time. “Devices with customised versions of Android but with no modification made to the media server component are also affected”. Even though the distribution of updates in the Android ecosystem has shown some improvements lately, there will likely be many devices that will not be patched because they are no longer supported.
Advertisement
The latest vulnerability, designated as CVE-2015-3842, involves the AudioEffect component of the Android mediaserver program.
Therefore it is possible to craft a rogue application without any special permissions that could exploit the flaw to trigger a heap overflow, the Trend Micro researchers said Monday in a blog post. Despite this, and the fact that Google has issued a patch, millions of handset remain vulnerable not only to Stagefright, but also to the more recent AudioEffect exploit. The flaw, which was originally discovered by Zimperium zLabs security researcher Joshua Drake, reportedly allows hackers to take control of certain features on unpatched Android devices remotely, by injecting malicious code through a multimedia file sent via an MMS (Multimedia Messaging Service), thereby compromising the device.
This attack can be fully controlled, which means a malicious app can decide when to start the attack and also when to stop. “Currently, there are no known active attacks against this vulnerability”, the company added. An attacker would be able to run their code with the same permissions that mediaserver already has as part of its normal routines. Google, carriers, and OEMs were quick to roll out the patch, but unfortunately, it seems it does not actually fix the problem. Following the Stagefright revelation last month, Google, Samsung and LG announced they would begin providing security updates for their Android devices about once a month.
Advertisement
In a talk at the Black Hat security conference on August. 5, Android’s lead security engineer, Adrian Ludwig, referred to the Stagefright patching effort as the “single largest unified software update in the world”.
