Google Android Stagefright Exploit Released in the Wild

An exploit that lets hackers execute code remotely on Android devices using only the victims' phone numbers has been released in the wild so that security teams, administrators, and penetration testers can test whether or not systems remain vulnerable. Zimperium Mobile Security, a digital security company focusing on mobile enterprise devices, released the Python script it developed to exploit the vulnerability in mobile phones.

Known as Stagefright, the vulnerability, which Zimperium first discovered in April, allows attackers to gain control of an Android device via a specially crafted media file delivered via MMS. By gaining remote code execution privileges, an attacker can delete the original MMS used to gain control of the device, leaving the victim completely unaware of the hack.

Massive Interest from Developers

Zimperium had already released much of its research into the vulnerability. After initially reporting the problem to Google in April and May, the company announced in July that it would be publishing the exploit it had developed at the Black Hat USA convention in August. Slides from a presentation given by Joshua Drake, ZimperiumEUs VP of platform research and exploitation, have already been released by the company on YouTube.

The company has also released its own Stagefright Detector app for Android, which can be used to determine if a device is vulnerable to an exploit using the libstagefright library. The company said it is also working with Google to integrate the appEUs analytical logic into AndroidEUs Compatibility Test Suite, which would ensure that the vulnerability would be fixed in all future Android devices before they shipped.

News of the Stagefright vulnerability generated a massive response from the developer community. EUWe expected other researchers to explore the vulnerabilities we disclosed and discover additional vulnerabilities in the Stagefright library over time,EU the company said in a blog post....

Comments are closed.