A number of new Android vulnerabilities could allow remote attackers to compromise affected devices by simply sending them a malicious multimedia message (MMS). The vulnerabilities pose a threat to Android users since in most cases, the victim simply has to look at the malicious message to trigger an exploit.
The seven are collectively known as the Google Stagefright Media Playback Engine Multiple Remote Code Execution Vulnerabilities (CVE-2015-1538, CVE-2015-1539, CVE-2015-3824, CVE-2015-3826, CVE-2015-3827, CVE-2015-3828 and CVE-2015-3829). The vulnerabilities affect an Android component known as Stagefright, which is responsible for handling media playback.
Successful exploitation of any of the seven vulnerabilities could provide an attacker with remote code execution capabilities. This could enable an attacker to install malware on the device and steal data from areas accessible with Stagefright’s permissions.
Symantec rates these vulnerabilities as critical due to the threat posed by exploitation and ease of exploit. All an attacker needs to do to successfully exploit these vulnerabilities is to send a specially crafted multimedia message (MMS) to any vulnerable Android device. Exploitation requires little or no interaction on the part of the victim. In most cases, the victim simply has to look at the malicious MMS message to trigger the exploit. In some cases, such as when a malicious message is sent via Google Hangouts, the exploit triggers once the message is received, before the victim even receives a notification.
The vulnerabilities were discovered by security researcher Joshua Drake from Zimperium zLabs, who notified Google about them in two batches in April and May. Google patched the vulnerabilities on May 8. In a statement released to Forbes, Google said that most Android devices, including all newer devices, “have multiple technologies that are designed to make exploitation more difficult”. “Android devices also include an application sandbox designed to protect user data and other applications on the device,” it said.
The severity of these vulnerabilities is compounded by the fact that despite the availability of a patch from Google, users are at risk until carriers and manufacturers roll out their own patches. This can often take weeks or months and many older devices may never have a patch pushed out to them.
Android users are advised to apply any security updates issued by their carrier or device manufacturer as and when they become available.
Until a patch is applied, exercise caution when receiving unsolicited multimedia messages. Avoid downloading or playing multimedia content sent from unknown sources.
Android users can disable the automatic retrieval of multimedia messages through the stock Messaging application as well as through Google Hangouts. This will provide partial mitigation, but will not prevent the vulnerabilities from being exploited if a malformed or malicious multimedia message is downloaded and clicked on.
Figure 1. Automatic retrieval of multimedia messages enabled in stock Messaging application. Disable this to provide partial mitigation.
Figure 2. Automatic retrieval of multimedia messages enabled in Google Hangouts. Disable this to provide partial mitigation.