There’s a bug in all by the most recent versions of the Android operating system that can theoretically allow attackers to take over the device simply by viewing a web page or downloading a media file. It’s actually in the Stagefright library, and was the talk of Black Hat last August. Then it was considered hard to exploit, but security researcher Hanan Be’er at North-Bit in Israel has now published a paper proving it’s very dangerous.
Stagefright is the name of the media processing library found in all versions of Android you’re likely to find. It opens and reads any media downloaded to the device. With a specially crafted file you can cause it to crash when it does this; you don’t have to even play the file. However, it has been difficult to make use of this fact to “break out” and do anything more nasty.
Since Android 5.0, a system called Address Space Layout Randomisation (ASLR) has been in use. Basically the memory space is shuffled randomly so malicious code doesn’t know where anything else is, making attacks more difficult. This made exploiting Stagefright’s flaws a lot harder. The fact that the problem exists on Android 2.2 to 4.x, which doesn’t do ASLR, has been the subject of much complacency. Google has released fixes for the bug, known as CVE-2015-3864, but by no means have all the Android devices been updated. I guess that the vast majority have not, including the recent ones using Android 5.x. The infrastructure for updating Android simply doesn’t exist. Apple’s devices are very exploitable, but at least they have a mechanism for updating them.
So how does the North-Bit exploit work? It’s actually very straightforward. First you deliver a dodgy video file to the device; putting it on a web site is the obvious, easy method. This will cause Stagefright to crash and restart in a known state. When it does this, some JavaScript running on the same page slurps various parameters on the system, such as the current location of libc, and sends it back to the attacker. A new video file is then created and sent using this information, and it’s game over – possibly after a few tries, but North-Bit says the exploit is reliable.
How worried should we be? I’d say we should be very worried. Unless your device manufacturer and/or mobile network rolls out the patch, I can’t see any mitigation.