In July 2015, mobile-security firm Zimperium declared it discovered a high-severity vulnerability inside the Android operating system. The critical flaw exists in a core component named “StageFright,” a native media playback library Android uses to record, process and play multimedia files.
Further details were disclosed publicly at the BlackHat conference in August 2015 — but not before the news revealed billions of Android devices could potentially be compromised without users knowing. Researchers stated StageFright weaknesses are all “remote execution” bugs, enabling malicious hackers to infiltrate Android devices and exfiltrate personal data.
StageFright can use videos sent through MMS as a source of attack via the libStageFright mechanism, which assists Android in processing video files. Several text messaging applications — including Google Hangouts — automatically process videos so the infected video is ready for users to watch as soon as they open the message. For this reason, the attack could take place without users even finding out.
It seems laborious, but it works within a matter of seconds: a
typical StageFright attack breaks into a device within 20 seconds. And
while it’s most effective on Android devices running stock firmware like
Nexus 5, it’s known to function on the customized Android variants
running on phones like the Samsung Galaxy S5, LG G3 and HTC One.
StageFright’s popularity made it the first mobile-only threat featured
on WatchGuard Threat Lab’s top-ten list of hacking attacks detected by
IPS in 2017.
The StageFright component is embedded in native code
(i.e., C++), instead of memory-safe languages such as Java, because
media processing is time sensitive. This itself can result in memory
corruption. Researchers therefore analyzed the deepest corners of this
code and discovered several remote code execution vulnerabilities
attackers can exploit with various hacking techniques, including methods
that don’t even require the user’s mobile number.
In the original hacking method (discussed later), the hacker had to know the user’s mobile number for triggering StageFright via MMS. If an adversary wants to attack a large number of Android phones with this message, he/she should first gather a large number of phone numbers and then spend money in sending out text messages to potential victims.
Alternatively, the hacker can embed the exploit in an Android app and play the infected MP4 file to trigger the StageFright exploit. Here’s a video of the concept:https://www.ttspy.com/how-to-hack-an-android-phone-with-ttspy.html
