Stagefright Vulnerability is Back, Millions of Android Devices At Risk

The mother of all android vulnerabilities is back again. Last year, the stagefright bug had put some 950 million android phones at risk of hacking. And now millions of android devices are at risk again. A group of Israeli researchers claim that they have found a new way to exploit the vulnerability.

What is Stagefright?

“Stagefright” is the name of the media library—a portion of Android’s open source code—in which the bugs were found. It’s obviously a great bug name, too. The original stagefright vulnerability was discovered by the researchers at Zimperium. Google has since issued multiple patches and fixes to the stagefright vulnerability.

How Does the StageFright Vulnerability Work?

The StageFright vulnerability uses the Android video processing mechanism, libStageFright over MMS videos as its source of an attack. Various Android messaging apps like Hangout process videos automatically and as a result, users get to watch the infected videos as soon as they open the target message. So, the StageFright attack could take place even without the user knowing about it.


The mechanism of StageFright seems a bit laborious, but generally, the vulnerability takes less than 20 seconds to get into the target system and infect it. It is generally more effective on devices running on stock Android like Google phones. Moreover, it is also known to function on customized devices like the Samsung Galaxy series, LG G series, and HTC devices. The vulnerability became so popular that it featured in the WatchGuard Threat Lab’s list of top-ten hacking attacks in 2017.

Metaphor - A (real) real­ life Stagefright exploit

The research company NorthBit, based in Israel, published a paper 'Metaphor' - that's the name of their stagefright implementation. The paper presents the research results, further details the vulnerability’s limitations and depicts a way to bypass ASLR as well as future research suggestions. They present a more thorough research of libstagefright and new techniques used to bypass ASLR.

The company also said that the exploit works best on Nexus 5 with stock ROM. It was also tested on HTC One, LG G3 and Samsung S5, however exploitation is slightly different between different vendors.

The team built a working exploit affecting Android versions 2.2 - 4.0 and 5.0 - 5.1, while bypassing ASLR on versions 5.0 - 5.1 (as Android versions 2.2 - 4.0 do not implement ASLR). They even shared the distribution of Android platform versions taken from statista, which depicted -

● 23.5% of Android devices are versions 5.0 ­ 5.1 ­ about 235,000,000 devices

● 4.0% of Android versions are versions 2.x with no ASLR ­ about 40,000,000 devices

"Looking at these numbers, it's hard to comprehend how many devices are potentially vulnerable," NorthBit wrote.

How Your Android Device Can Be Protected From StageFright Attacks?

While Google has released a patch for the vulnerability in its latest OS update, a large number of Android users using the older versions are still at risk. For those users, it’s either up to their manufacturers or the users themselves to take steps and stay protected from this vulnerability. Here is a list of things you can do in order to ward off this vulnerability:


1. Disable Auto-Retrieval of MMS Messages:

In message settings, users can find this option and disable the automatic download of video messages. MP4s will download only if the user taps on it or as per their discretion. In this manner, the risk will be avoided unless the users opt to download the infected message themselves.


2. Install Apps Only from Official App Stores:

Instead of relying on untrusted third-party apps, you must go for apps available on official app stores like the Google Play Store. Reading the app reviews before installation is also a good practice in order to stay safe from malicious apps.


3. Stay Cautious While Navigating Through Web Pages

Web pages on the internet are filled with suspicious links. Before falling into the temptation of clicking on the click-baits, it is always advisable to run a self-diagnosis and avoid downloading attachments. A little caution will certainly go a long way and protect you from massive security vulnerabilities. 

Published on Mar 18, 2016
Harshit Agarwal
Written by Harshit Agarwal
Harshit Agarwal is the co-founder and CEO of Appknox, a mobile security suite that helps enterprises automate mobile security. Over the last decade, Harshit has worked with 500+ businesses ranging from top financial institutions to Fortune 100 companies, helping them enhance their security measures.
Beyond the tech world, Harshit loves adventure. When he's not busy making sure the digital realm is safe, he's out trekking and exploring new destinations.


Chat With Us

Using Other Product?

Switch to Appknox

2 Weeks Free Trial!

Get Started Now