In an effort to push Google, smartphone manufacturers and wireless carriers to speed up the release of patches to the gaping Stagefright hole left in hundreds of millions of Android devices, the mobile security firm that first unveiled the security flaw has made the exploit code available to the public.

Joshua Drake, vice president of platform research and exploitation at Zimperium zLabs, says publishing the code as a proof-of-concept for Stagefright can possibly invite cyber-criminals to use the code to carry out their attacks. However, the risk of unscrupulous individuals taking advantage of the code far outweigh the benefits of allowing companies and organizations to test if they are vulnerable to hacking.

"Exploits don't hack people, people hack people," Drake said.  

Stagefright was first discovered in April but only disclosed to the public in late July. The vulnerability is found in a media library called libstagefright and allows attackers to take over a remote device simply by sending people an MMS. As a result of the media frenzy that ensued after Zimperium's revelation, Google promised to release monthly security updates for its line of Nexus devices. Samsung followed suit.

The proof-of-concept code, which is written in Python, generates an MP4 file that creates a reverse shell to allow attackers to gain access to the microphone and camera and listen in on the user and take pictures without their knowledge. However, the code is actually only tested for Android 4.0.4 Ice Cream Sandwich, and users on Android 5.1 Lollipop or higher are for now safe from being exploited through the released code.

"Using this exploit still requires some technical expertise, but obviously it is not as hard as building it in the first place," Drake added. "In addition, we added a 'newbie trap' for the less technically inclined folks out there."

The choice of testing on an Ice Cream Sandwich device, however, is due to the "partial implementation" of address space layout randomization (ASLR), which, according to Google, keeps nine out of 10 Android phones safe from the exploit. Drake, however, said Zimperium has tested via MMS and through the browser that the flaw can easily get around ASLR. On Ice Cream Sandwich, which does not have the fix available on Lollipop, attackers can easily bypass Google's protections.  

"As a mobile threat protection company, we are constantly looking for holes in mobile operating systems to ensure our customers' safety from advanced mobile attacks," said Drake. "Unfortunately, at this point, we cannot share additional details but expect new things soon."

Photo: Atomic Taco | Flickr

ⓒ 2024 TECHTIMES.com All rights reserved. Do not reproduce without permission.
Join the Discussion