Attack code exploiting Android’s critical Stagefright bugs is now public

Attack code that allows hackers to take control of vulnerable Android phones finally went public on Wednesday, as developers at Google, carriers, and handset manufacturers still scrambled to distribute patches to hundreds of millions of end users.

The critical flaws, which resides in an Android media library known as libstagefright, give attackers a variety of ways to surreptitiously execute malicious code on unsuspecting owners' devices. The vulnerabilities were privately reported in April and May and were publicly disclosed only in late July. Google has spent the past four months preparing fixes and distributing them to partners, but those efforts have faced a series of setbacks and limitations.

For one thing, some of the fixes—for instance, new versions of Hangouts and Messenger that blocked automatic processing of multimedia files sent over the MMS text protocol—were little more than Band-Aids. They blocked one of the most frightening of the attack scenarios while doing little to prevent others, such as exploits that relied on a user browsing to a malicious website. Also problematic, even when patches fixing the underlying cause were available to end users, at least one of them patching a flaw indexed as CVE-2015-3864 was so flawed that attackers can exploit the vulnerability anyway. Android apps such as this one from Zimperium—the security firm that first disclosed the Stagefright bugs—show that a Nexus 5 phone running all available patches remained wide open at the time this post was being prepared.

Read 2 remaining paragraphs | Comments