Skip to main content

Android Stagefright Media Library Remote Code Execution Vulnerabilities

Last Update Date: 29 Jul 2015 11:09 Release Date: 29 Jul 2015 6563 Views

RISK: Extremely High Risk

TYPE: Operating Systems - Mobile & Apps

TYPE: Mobile & Apps

Multiple vulnerabilities have been identified in Android Stagefright Media Library. By sending crafted MMS or media files to target system, remote attackers can exploit the vulnerabilities by to execute arbitrary code on the target system.

 

Note:

  • Proof of concept or exploit code may be available in BlackHat USA on 2015-08-05.
  • Vendor patch is currently unavailable. However, workaround is provided.

Impact

  • Remote Code Execution

System / Technologies affected

  • Android version 2.2.x to 5.1.x

Solutions

  • Note on vendor patch:
    • It was reported that Google has already provided patches to the vulnerabilities. But due to the arrangement of different device manufactuers, the update may not be pushed to their products via OTA immediately. So HKCERT regard there is no vendor patch available at this stage.
    • Please also note that some device manufactuers may not push any updates to older device models. Please contact your vendor for details.
       
  • Workaround:
    1. Turn off "Auto Retrieve" for multimedia messages (MMS) under "Settings", go to "SMS"/"Multimedia message".
      Note: For this workaround, you may find more information for your device model in the following webpage:
      https://www.twilio.com/blog/2015/07/how-to-protect-your-android-device-from-stagefright-exploit.html
    Note: The following 3 solutions may impose the risk of losing important information dedicated to you. Please assess the risk before making the decision.
    1. Block all text messages from unknown senders. Usually, you can enable such option under "Settings".
    2. Do not open MMS sent by unknown parties.
    3. Remove all MMS related settings under Access Point Name (APN).

Vulnerability Identifier


Source


Related Link