Researchers Release Android Stagefright-Based Attack Code Into The Wild

A month-and-a-half after the rather brutal 'Stagefright' Android vulnerability was revealed, the researcher who discovered it has decided to release his exploit code. By now, we'd hope that most people who have devices affected by Stagefright will have been patched up, or at the very least are using updated versions of the software that help negate its effects.

Stagefright has become what seems like a continuation of messaging-related bugs that have plagued mobile platforms this past year - even Apple users had to deal with one. Stagefright is much more severe, though, as it has multiple attack vectors, and in some cases, the text message doesn't even need to be manually opened for it to expose your system. It's bad news, and the major reason behind a recent stepping-up from Google itself, and LG and Samsung, which are all vowing to release more regular patches.

Android Army

There are a couple of different reasons why this researcher wanted to release this exploit code. One of the most important ones is that with it in the hands of fellow researchers, other vulnerabilities may be discovered with this particular library, called libstagefright. Included within is a Python script that generates a malicious MP4 file, one that exploits the 'stsc' vulnerability. With it, the user gains access to the system's shell as the media user, and in turn is granted access to a number of others, like audio, inet, and camera. As you might expect, that'd allow the attacker to take advantage of any of those subsystems.

If you want to delve really deep into Stagefright, or have a look at the Python script that Zimperium is providing, hit up the link below. Not that it needs to be said, but vulnerabilities like this, which are so easy to exploit, need to become a thing of the past. It's truly embarrassing that companies can let such serious exploits loose on such a massive scale.


Via:  Zimperium
Show comments blog comments powered by Disqus