[SingCERT] Stagefright Vulnerability on Android OS

Published on Wednesday, 29 July 2015 18:00

[ Background ]

Researchers at Zimperium discovered a major vulnerability (named Stagefright) in Android operating system.
A malicious media file can be specially crafted and delivered to a user’s mobile phone via MMS (Multimedia Messaging System) to download and execute malicious codes without requiring any user interaction. Users with devices using Android OS 2.2 and above are vulnerable. 

The Stagefright vulnerability has been assigned with the following CVE numbers:

  • CVE-2015-1538
  • CVE-2015-1539
  • CVE-2015-3824
  • CVE-2015-3826
  • CVE-2015-3827
  • CVE-2015-3828
  • CVE-2015-3829


[ Affected Software ]

Android OS 2.2 and above


[ Impact ]

Successful exploitation of the vulnerability will result in remote code execution.


[ Solution/Workaround ]

Google Nexus devices users should patch their devices as soon as the patches have been made available by Google.

  • Users who are using other non-Google Nexus Android devices should check with their respective manufacturer for the patch availability. As an interim protective measure, users should exercise caution and not download media files sent via MMS and should deactivate the auto retrieval feature for MMS until such time when the patches for their devices are available.


[ References ]

http://blog.zimperium.com/experts-found-a-unicorn-in-the-heart-of-android/
http://www.theguardian.com/technology/2015/jul/28/stagefright-android-vulnerability-heartbleed-mobile
http://www.zdnet.com/article/stagefright-just-how-scary-is-it-for-android-users/
http://www.androidpolice.com/2015/07/27/vast-majority-of-android-devices-are-vulnerable-to-stagefright-exploit-that-can-be-executed-via-text-message-according-to-researchers/
http://www.npr.org/sections/alltechconsidered/2015/07/27/426613020/major-flaw-in-android-phones-would-let-hackers-in-with-just-a-text
https://www.twilio.com/blog/2015/07/how-to-protect-your-android-device-from-stagefright-exploit.html