Zimperium Blog

Stagefright wakes up the mobile eco-system

Not everyday you get to wake up an entire eco-system !

Stagefright discovery by Joshua Drake (@jduck) at Zimperium – Mobile Threat Protection. At the time of writing this blog, ZHA has more than 25 members, comprising top 3 Android smartphone vendors, and 5 out of top 10 mobile carriers (by revenue) globally. Zimperium Handset Alliance (ZHA) members are the first to receive security patches, updates on new vulnerabilities, and other important mobile security related information from other members of ZHA. Vendors and carriers that wishes to join ZHA, apply here.

Please keep in mind that we are vetting applicants in an effort to ensure that sensitive information disseminated via this alliance stays within organizations actually charged with responding to Android security issues.

Update: A twitter user wrote that he has an information leak vulnerability in libstagefright that allows to bypass ASLR – which would make the vulnerability dangerous even on 5.1.1 before the latest Stagefright update.

  1. Last week, Stagefright patches and POC files were made public by Zimperium.
  2. Zimperium zLabs released an app to test if your device is vulnerable to Stagefright related CVEs. The Stagefright Detector app can be downloaded for free from the Google Play Store.
  3. Carriers and Vendors are uniting through ZHA to provide security updates to end-users
  4. Watch the video produced by zLabs demonstrating  Remote Code Execution (RCE) without user-interaction on Nexus 5 running Android 4.0.4

You can watch the Stagefright demo video on ICS here:

The entire Android eco-system is working together to solve the Stagefright vulnerabilities. Selected list of recent announcements regarding the impact of Stagefright on Android updates:

 

According to Adrian Ludwig from Google, following devices will receive an update to patch libstagefright vulnerabilities:

  • Samsung: Galaxy S6, Galaxy S6 edge, Galaxy S5, Galaxy S4, Galaxy S3, Note 4, Note 4 edge, Note 3.
  • Google: Nexus 4, Nexus 5, Nexus 6, Nexus 7v2, Nexus 9, Nexus 10
  • LG: G2, G3, G4
  • HTC: One M7, One M8, One M9
  • Sony: Xperia Z2, Xperia Z3, Xperia Z4, Xperia Z3 Comp

And hundreds more!

Ludwig, Advanced Mobile Security

Google’s Adrian Ludwig at Blackhat 2015. Credit: Max Eddy, PCMag – @wmaxeddy

Zimperium zLabs