It is quite common that the smartphones and some other electronic devices often come across some vulnerabilities that might harm your device in a huge way. Android is the most popular mobile operating system which is being used by millions of smartphone users. Android users who had assumed that they were quite foregoing the hazardous ‘Stagefright’ with patches and updates from Google and smartphone manufacturers are in for a crash. The Stagefright vulnerability was discovered in the year 2015 and had put more than billion Android smartphones at jeopardy. However, the security team of Android and many smartphone manufacturers have issued patches and updates to decrease the risks.
It appears that these security updates and patches are of no worth to security researchers from Northbit have managed to represent a successful Stagefright exploit. The researchers have fortunately exploited the Android-based Stagefright bug, which places millions of Android devices in jeopardy of being hijacked, leaving numerous smartphones and tablets vulnerable to remote hacking. In a demonstration, the security researchers were capable enough to remotely hack a device with a Stagefright-based exploit.
An Israeli software security research company called NorthBit has, in a detailed research paper, revealed that it has exploited the dreaded Stagefright Android bug which has, in the past, put a billion user smartphones at risk. This vulnerable hack would let hackers obtain complete access to devices’ files, which they could duplicate or delete, as well as access to the camera and microphone.
In a video, the firm’s security researchers described the vulnerable hack using the Google Nexus 5 device and have successfully replicated the exploit on other devices that include LG G3, the HTC One, and the Samsung Galaxy S5. The security team was able to hack devices running Android 2.2, 4.0, 5.0, and 5.1 operating system. Fortunately, other versions of Android don’t seem to be affected by the vulnerable issue. According to the team, approximately 36 percent of 1.4 billion active smartphones running Android 5.0 Lollipop or v5.1 are vulnerable to hacking. In simple words, Android users who do not have the advanced and latest security updates are vulnerable to the hack.
Stagefright is a vulnerability in the software library, written in C++ programming language, that’s built into the Android operating system. The Zimperium researchers said it was responsive to memory corruption and when an MMS message containing a video was sent to the device it could if made in the right way can activate the malicious code and hijack an Android smartphone.
How does the Hack Took Place?
The security researchers have outlined a three-step process to hijack an Android device in the paper. Here is the step-by-step hacking process that put millions of Android devices at risk.
- Firstly, a user is made to visit a specially-crafted web page that hosts a video file that is able to crash the media server software on the target device.
- The video file then resets the media server software and waits for the device to restart.
- It then draws more information such as the internal environment of the Android device.
- Once this is done, another video file is sent to the victim’s handset, and executes a payload of malware, and starts spying.
Researchers say that the exploit attacks the CVE-2015-3864 bug in a “fast, reliable and stealthy” way by bypassing ASLR aka address space layout randomization, a mechanism that is designed to thwart exploit writers. In order for the security attackers to be successful in hijacking the device, they are required to perform a flow of operations.
Video: Stagefright Returns – 500 Million Android Devices at Risk
The first Stagefright bug was discovered by a security researcher in the month of July 2015 when it was revealed that the malicious vulnerability left up to 95 percent of all Android devices exposed to exploit.
The second critical vulnerability of the Stagefright bug was discovered not long after in the same year when a vulnerability could be exploited via an encoded .mp4 or .mp3 file sent using MMS. When these files were opened they were claimed to be capable of remotely executing malicious code. It was estimated that almost 950 million Android devices were left vulnerable to the bug.
Fundamentally, the exploit can be triggered just by visiting a malicious web page as the video shows below.
Watch the video below to see Stagefright being exploited on a Google Nexus 5:
Google, however, released a security patch for the malicious bug and assured regular security updates for Android smartphones following the publication of Stagefright’s details. However, it seems though that the company has not yet released patches for all versions of Android.