Previous Story
Zimperium releases Stagefright exploit code
Zimperium was the first to pick up on the security flaws and told Google about it four months ago.
Rolling out fixes for Stagefright issues has not been an easy journey for Google.
At the request of mobile carriers and device manufacturers, the code was delayed, so proper patches could be prepared.
According to the researchers, the exploit code released by them is not generic and has only been tested to work on Google Nexus running on Android Ice Cream Sandwich 4.0.4.
But no doubt attackers will be taking advantage of this exploit as well: let’s hope Android users will receive all the necessary patches for Stagefright very soon.
Some of the fixes issued to combat Stagefright were only temporary measures to reduce levels of risk.
Now, after all the updates have been distributed, Zimperium released the Python script that allowed them to exploit the Stagefright bug (CVE-2015-1538).
For one thing, some of the fixes-for instance, new versions of Hangouts and Messenger that blocked automatic processing of multimedia files sent over the MMS text protocol-were little more than Band-Aids.
Roughly a month after the frightful Stagefright Android vulnerability was disclosed, Zimperium’s security researchers have published sample code for exploiting the bug. The result is a reverse shell as the media user – granting an attacker access to content, as well as the ability to take pictures or listen to the microphone without betraying their presence – and without the need to exploit additional vulnerabilities.
Zimperium said it was publishing the code so that administrators and penetration testers can validate the effectiveness of the Android community’s response.
However, 100 percent reliability was achieved when an attack vector which allowed multiple intrusion attempts was utilized. However, considering almost 80% of devices are still running Android “KitKat” or older, there are millions of people out there who could be affected by an attacker transforming this test code into a real-world exploit.
The vulnerability is one of several which is no longer usable with Android version 5, Lollipop, or later. However except for Nexus devices, high end Samsung smartphones like Samsung Galaxy 6 and Galaxy 6 Edge, LG and Motorola, most of the manufacturers are yet to release the fix to the end users.
