Android Virus (Stagefright: Vulnerability Details, Stagefright Detector tool released)

The Stagefright vulnerability has been one of the hottest topics of discussion in the security industry since it was announced. In order to provide a detailed insight into the vulnerability and ease of exploitation, zLabs VP of Platform Research and Exploitation, Joshua Drake (@jduck) prepared the video below that demonstrates the attack.

You can watch the Stagefright demo video on ICS here: https://youtu.be/PxQc5gOHnKs

Zimperium launched ‘Zimperium Handset Alliance’ (ZHA) on August 1, 2015 to share mobile security threat information to accelerate the availability of threat mitigations and updates. Over 25 of the largest global carriers and device manufacturers are already part of the Alliance. The strong interest in Zimperium Handset Alliance from mobile ecosystem partners is a clear indication of the critical need to exchange relevant threat information and provideupdate mobile devices as quickly as possible to protect customers. Zimperium is proud to drive this change.

1. CVE-2015-1538, P0006, Google Stagefright ‘stsc’ MP4 Atom Integer Overflow Remote Code Execution
2. CVE-2015-1538, P0004, Google Stagefright ‘ctts’ MP4 Atom Integer Overflow Remote Code Execution
3. CVE-2015-1538, P0004, Google Stagefright ‘stts’ MP4 Atom Integer Overflow Remote Code Execution
4. CVE-2015-1538, P0004, Google Stagefright ‘stss’ MP4 Atom Integer Overflow Remote Code Execution
5. CVE-2015-1539, P0007, Google Stagefright ‘esds’ MP4 Atom Integer Underflow Remote Code Execution
6. CVE-2015-3827, P0008, Google Stagefright ‘covr’ MP4 Atom Integer Underflow Remote Code Execution
7. CVE-2015-3826, P0009, Google Stagefright 3GPP Metadata Buffer Overread
8. CVE-2015-3828, P0010, Google Stagefright 3GPP Integer Underflow Remote Code Execution
9. CVE-2015-3824, P0011, Google Stagefright ‘tx3g’ MP4 Atom Integer Overflow Remote Code Execution
10. CVE-2015-3829, P0012, Google Stagefright ‘covr’ MP4 Atom Integer Overflow Remote Code Execution

POC files are attached –
https://s3.amazonaws.com/zhafiles/Zimperium-Handset-Alliance/ZHA-Crash-PoC.zip

Stagefright Patches are available here –
https://s3.amazonaws.com/zhafiles/Zimperium-Handset-Alliance/ZHA-Stagefright-Patches.zip

Samsung released an app that allows users to disable MMS on their devices. We would like to thank the KNOX group for working closely with Zimperium Handset Alliance to solve this issue on older devices. The Samsung MMS control app can be downloaded from: https://s3.amazonaws.com/zhafiles/Zimperium-Handset-Alliance/Samsung_KNOX_and_ZHA_ap_MMSCtrl.apk

We are working with carriers and device vendors to design solutions to protect users that do not currently have Zimperium zIPS on their phones.

STAGEFRIGHT DETECTOR APP

Today Zimperium launched the ‘Stagefright detector App’ for Android users to test if their device is vulnerable. The app is available for download on the Android store. Download link: http://adf.ly/1MAFna

  

- See more at: https://blog.zimperium.com/stagefright-vulnerability-details-stagefright-detector-tool-released/#sthash.bySQ3Wzv.dpuf - See more at: https://blog.zimperium.com/stagefright-vulnerability-details-stagefright-detector-tool-released/#sthash.bySQ3Wzv.dpuf

How it works

If targeted, the hypothetical hacker needs only to send an MMS message, which in many cases doesn't even need to be read before the attacker gains access to the victim's microphone and camera. The file will contain malicious code that executes by taking advantage of the problems in the Stagefright codebase. In the worst case, Zimperium says, the attacker could remove any trace of the offending MMS before the end user is even made aware that one is received.

When MMS content is automatically downloaded, as is the default setting in Hangouts and many other applications, the owner of the phone doesn't have to interact with the message at all for malicious code to get privileged access in the system. There are several variables at this point in the process that affect just how much damage can be done.

Zimperium's lead researcher Josh Drake warns that a sophisticated attacker could take advantage of the weaknesses used for Towelroot and PingPongRoot to wreak even more havoc in devices running firmware that doesn't include those patches.

Google has emphasized the "sandboxing" that occurs in Android as an effective method of protecting users, which it is. Apps in general can only interact via certain vectors as a way to prevent one piece of malware from stealing or altering data in others. This mostly holds true with the Stagefright exploit, but all bets are off if root access is gained. The attacker will have more privileges than the messaging app sandbox would normally allow, too.

A point of emphasis is that this is not a Messages/Hangouts/MMS bug. The weakness is in the part of the OS known as Stagefright which handles media playback and could be exploited in multiple ways. The MMS message is simply the easiest way for a hacker to target a particular person without the victim having any way to defend his or herself.

The nitty gritty details still haven't been revealed in full to avoid very explicitly handing instructions to hackers, but they will be discussed at a conference in the coming days, as is accepted practice in the security community.

Who is vulnerable

At this point, fortunately, it isn't believed that any hackers have been capitalizing on this vulnerability. With that said, updates have reached exceedingly few devices at this point in time. All but the absolute newest builds of Android 5.1.1 could be exploited, but over time patches will reach builds as old as KitKat.

Having older software is no use either, as users with Gingerbread 2.2 and possibly even before aren't safe. In fact, experts warn, 2.x builds are the most vulnerable since there are so many known methods for the attacker to gain root access.

Zimperium estimates that 95% of Android users have some portion of the Stagefright security holes. That does not mean that 95% will be targeted, since it is far from the type of thing the novice hacker would have the know-how to implement.

This shouldn't cause a mass panic, but it nonetheless is a big problem for Android in general. There is some safety in numbers, so you don't need to feel like you're about to be hacked, but this is a serious big picture issue.

How it is being fixed

Josh Drake told Google about the problems privately in April. There are several patches now included in all OS versions from KitKat 4.4 and onward, but very few end user phones are protected at this point.

This brings into further focus the problems of OEM and carrier control over software updates, since it is likely to be a long time before devices receive patches if they ever do.

According to Ars Technica, though, the Nexus 5 running 5.1.1 is still fully exploitable and the Nexus 6is only partially patched. Since everyone will be eager to assign blame, it is important to recognize that even Google's own flagships aren't "fixed" yet in spite of months to take action.PrivatOS, the customized Android version for Silent Circle's Blackphone, is one of few to have already pushed updates. CyanogenMod has implemented Google's patches for the past two weeks of builds. Drake and collaborators also found that Firefox could be penetrated with a similar method, but it has been made safe since v38 (the current stable version is v39).

What users can do

In many ways, unfortunately, you're helpless. If possible, use a messaging app that allows you to disable automatic downloading of MMS attachments. This is the behavior that allows you to be exploited via a message without you even knowing. You could also consider blocking messages from unknown numbers if your messaging software allows.

Still, as the man who publicized the Stagefright vulnerabilities said, MMS is just one of many ways you can be exploited.

While he hasn't come out and said "don't use Chrome," Drake has suggested that Firefox is your best bet to avoid hacking by browser.

By and large, he has been dismissive about suggestions that app makers can protect users because the problem is at the OS level. General suggestions include trying to avoid attempt at social engineering that would trick you into opening malicious messages, files, or websites. Your best bet, though, is convincing those in charge to fix the OS:

A Google representative says that security patches will be sent to Nexus devices starting next week

Source 1