Stagefright: One Year Later
It’s been exactly one year since Joshua J. Drake, our zLabs VP of Platform Research and Exploitation, disclosed Stagefright — one of the worst Android vulnerabilities to date. Stagefright impacted nearly 1 billion Android devices total, and up to 850 million devices remain vulnerable as of March 2016. Stagefright gives attackers, armed with only a victim’s phone number, a way to use specially crafted MMS messages to execute malicious code to gain complete control of their device. The worst part? In some scenarios, the vulnerabilities do not require the victim to take any action in order for malicious code to be executed on their devices.
So what has happened in the last year?
- July 27, 2015 – Publicly disclosed Stagefright vulnerability
- August 1, 2015 – Announced Zimperium Handset Alliance
- August 5, 2015 – Released Stagefright detector tool
- August 13, 2015 – Google released first Android monthly security bulletin
- October 1, 2015 – Zimperium released second set of Stagefright vulnerabilities processing MP3/MP4 media
- October 2015 – Samsung released first monthly security bulletin showing vendors following suit
- March 22 2016 – Zimperium announced that 42.84% of Android devices are still vulnerable to CVE-2015-3864
- May 9, 2016 – FCC & FTC launched joint investigation to determine how/when security updates to Google’s Android operating system reached users
The Stagefright discovery sent a shockwave through the entire mobile ecosystem. Security giants jumped on board with their own “me too” messaging and researchers around the world showed off working exploits and research papers on the Stagefright mediaserver.
Stagefright even caused the biggest OEMs and mobile OS developers to reevaluate how mobile devices were updated. Starting with the initial Stagefright bug, Google moved swiftly to provide a security patch and update its Hangouts and Messenger apps to remove automatic media processing. It also introduced monthly Android Security Bulletins, with other vendors (including Samsung and LG) soon following suit. This brought some much-needed standardization to Android — something that hadn’t happened before.
Apart from the issues we disclosed last year, multimedia-related vulnerabilities have made an appearance in every single Nexus/Android Security Bulletin since their inception last August. The most recent Android Security Bulletin in July included 17 vulnerabilities that affected the mediaserver amongst the 107 CVEs referenced. This brings the total number of Android vulnerabilities disclosed to 357 in the past year.
While Google has invested heavily in improving Android’s security, these patches do little good if they fail to reach end-users. Unfortunately, this is often the case thanks to Android’s fragmented update process that relies on phone manufacturers and carriers to deploy updates. To address the delays and issues associated with the propagation of Android patches, Zimperium formed the Zimperium Handset Alliance (ZHA), which is an association of different parties interested in exchanging information and receiving timely updates on Android’s security-related issues. While more than 25 of the largest Android device OEMs and wireless carriers have joined the ZHA and have made great strides in improving the patch deployment process, the fact remains that many users will never receive the updates they need to be fully protected.
Adding to this problem, the adoption rates of new versions of Android is very slow, with only 13.3 percent of devices running Android Marshmallow (6.0) since its release nearly one year ago. If this trend continues, Android Nougat will only be used on roughly the same number of devices this time next year. This concerns us because outdated devices will not benefit from a majority of the improvements Google has made in response to our (and others’) research related to multimedia processing.
As delays in security updates made headlines, the Federal Trade Commission and Federal Communications Commission got involved. On May 9, 2015 the agencies launched a joint investigation to determine how and when security updates to Google’s Android operating system reached users (and why it has taking so long). The FCC’s statement specifically pointed to Stagefright as an example of the “growing number of vulnerabilities associated with mobile operating systems that threaten the security and integrity of a user’s device.”
Wondering if your device is vulnerable? You can check to see if it is vulnerable to the original set of vulnerabilities we released in mediaserver and libstagefright, as well as other bugs since fixed in the latest version of Android. Download Zimperium’s Stagefright Detector tool available on the Google Play store. So far more than 500,000 people use the app to see if their devices are vulnerable.
A year ago, we knew the Stagefright vulnerability was alarming, but we could have never anticipated the reach and impact it continues to have. While we still have more work to do, we send sincere thanks to Google and to the many manufacturers and carriers who have taken steps to make our mobile ecosystem safer.