The 'Stagefright' exploit: What you need to know

In July 2015, security company Zimperium announced that it had discovered a "unicorn" of a vulnerability inside the Android operating system. More details were publicly disclosed at the BlackHat conference in early August — but not before headlines declaring that nearly a billion Android devices could potentially be taken over without their users even knowing it.

So what is "Stagefright"? And do you need to worry about it?

We're continuously updating this post as more information is released. Here's what we know, and what you need to know.

What is Stagefright?

"Stagefright" is the nickname given to a potential exploit that lives fairly deep inside the Android operating system itself. The gist is that a video sent via MMS (text message) could be theoretically used as an avenue of attack through the libStageFright mechanism (thus the "Stagefright" name), which helps Android process video files. Many text messaging apps — Google's Hangouts app was specifically mentioned — automatically process that video so it's ready for viewing as soon as you open the message, and so the attack theoretically could happen without you even knowing it.

Because libStageFright dates back to Android 2.2, hundreds of millions of phones contain this flawed library.

Aug. 17-18: Exploits remain?

Just as Google began rolling out updates for its Nexus line, the Exodus firm published a blog post snarkily saying that at least one exploit remained unpatched, implying that Google screwed up with the code. UK publication The Register, in a flouncily written piece, quotes an engineer from Rapid7 as saying the next fix will come in September's security update — part of the new monthly security patching process.

Google, for its part, has yet to publicly address this latest claim.

In the absence of any further details for this one, we're inclined to believe that at worse we're back where we started — that there are flaws in libStageFight, but that there are other layers of security that should mitigate the possibility of devices actually being exploited.

One Aug. 18. Trend Micro published a blog post (opens in new tab) on another flaw in libStageFright. It said it had no evidence of this exploit actually being used, and that Google published the patch to the Android Open Source Project on Aug. 1.

New Stagefright details as of Aug. 5

In conjunction with the BlackHat conference in Las Vegas — at which more details of the Stagefright vulnerability were publicly disclosed — Google addressed the situation specifically, with lead engineer for Android security Adrian Ludwig telling NPR that "currently, 90 percent of Android devices have a technology called ASLR enabled, which protects users from the issue."

This is very much at odds with the "900 million Android devices are vulnerable" line we have all read. While we aren't going to get into the midst of a war of words and pedantry over the numbers, what Ludwig was saying is that devices running Android 4.0 or higher — that's about 95 percent of all active devices with Google services — have protection against a buffer overflow attack built in.

ASLR (Address Space Layout Randomization) is a method that keeps an attacker from reliably finding the function he or she wants to try and exploit by random arrangement of memory address spaces of a process. ASLR has been enabled in the default Linux Kernel since June 2005, and was added to Android with Version 4.0 (Ice Cream Sandwich).

How's that for a mouthful?

What it means is that the key areas of a program or service that's running aren't put into the same place in RAM every time. Putting things into memory at random means any attacker has to guess where to look for the data they want to exploit.

This isn't a perfect fix, and while a general protection mechanism is good, we still need direct patches against known exploits when they arise. Google, Samsung (1), (2) and Alcatel have announced a direct patch for stagefright, and Sony, HTC and LG say they will be releasing update patches in August.

Who found this exploit?

The exploit was announced July 21 by mobile security firm Zimperium as part of an announcement for its annual party at the BlackHat conference. Yes, you read that right. This "Mother of all Android Vulnerabilities," as Zimperium puts it, was announced July 21 (a week before anyone decided to care, apparently), and just a few words the even bigger bombshell of "On the evening of August 6th, Zimperium will rock the Vegas party scene!" And you know it's going to be a rager because it's "our annual Vegas party for our favorite ninjas," completely with a rockin' hashtag and everything.

How widespread is this exploit?

Again, the number of devices with the flaw in the libStageFright library itself is pretty huge, because it's in the OS itself. But as noted by Google a number of times, there are other methods in place that should protect your device. Think of it as security in layers.

So should I worry about Stagefright or not?

The good news is that the researcher who discovered this flaw in Stagefright "does not believe that hackers out in the wild are exploiting it." So it's a very bad thing that apparently nobody's actually using against anyone, at least according to this one person. And, again, Google says if you're using Android 4.0 or above, you're probably going to be OK.

That doesn't mean it's not a bad potential exploit. It is. And it further highlights the difficulties of getting updates pushed out through the manufacturer and carrier ecosystem. On the other hand, it's a potential avenue for exploit that apparently has been around since Android 2.2 — or basically the past five years. That either makes you a ticking time bomb, or a benign cyst, depending on your point of view.

And for its part, Google in July reiterated to Android Central that there are multiple mechanisms in place to protect users.

We thank Joshua Drake for his contributions. The security of Android users is extremely important to us and so we responded quickly and patches have already been provided to partners that can be applied to any device.Most Android devices, including all newer devices, have multiple technologies that are designed to make exploitation more difficult. Android devices also include an application sandbox designed to protect user data and other applications on the device.

What about updates to fix Stagefright?

We're going to need system updates to truly patch this. In its new "Android Security Group" in an Aug. 12 bulletin, Google issued a "Nexus security bulletin" detailing things from its end. There are details on multiple CVEs (Common Vulnerabilities and Exposures), including when partners were notified (as early as April 10, for one), which build of Android featured fixes (Android 5.1.1, build LMY48I) and any other mitigating factors (the aforementioned ASLR memory scheme).

Google also said it's updated its Hangouts and Messenger apps so that they don't automatically process video messages in the background "so that media is not automatically passed to mediaserver process."

The bad news is that most folks are doing to have to wait on the manufacturers and carriers to push out system updates. But, again — while we're talking something like 900 million vulnerable phones out there, we're also talking zero known cases of exploitation. Those are pretty good odds.

HTC has said updates from here on out will contain the fix. And CyanogenMod is incorporating them now as well.

Motorola says all of its current-generation phones — from the Moto E to the newest Moto X (and everything in between) will be patched (opens in new tab), which code going to carriers starting Aug 10.

On Aug. 5, Google released new system images for the Nexus 4, Nexus 5, Nexus 6, Nexus 7, Nexus 9 and Nexus 10. Google also announced that it will release monthly security updates for the Nexus line for the Nexus line. (The second publicly released M Preview build appears to already be patched as well.)

And while he didn't name the Stagefright exploit by name, Google's Adrian Ludwig earlier on Google+ had already addressed exploits and security in general, again reminding us of the multiple layers that go into protecting users. He writes:

There's common, mistaken assumption that any software bug can be turned into a security exploit. In fact, most bugs aren't exploitable and there are many things Android has done to improve those odds. We've spent the last 4 years investing heavily in technologies focused on one type of bug -- memory corruption bugs -- and trying to make those bugs more difficult to exploit.

For more on how that works, read our Q&A on security with Google's Ludwig.

Stagefight detector apps

We don't really see the point in using a "detector" app to see if your phone is vulnerable to the Stagefright exploit. But if you must, there are some available.

161 Comments
  • Whatever Posted via the Android Central App
  • Lol! Exactly Nexus 5 (AT&T)
  • Well you should be in the know. Because there are known knowns and unknown knowns that everyone knows about that they don't know about because it's not known to those who know they don't know, only to those who think they know. Ya know?
  • The panic attack exploit lol Posted via the Android Central App
  • If this was not such a serious vulnerability,then please explain why ALL the major oem's are now rushing to patch this! And,oh,by the way,it has already been detected in the wild for some time now,but you would not be aware if you were hacked or not! This from the wiki page,and I have read elsewhere too. " In July 2015, Evgeny Legerov, a Moscow-based security researcher, announced that he found two similar heap overflow zero-day vulnerabilities in the Stagefright library, claiming that the library has been already exploited for a while." And there are two NEW exploitations found by Trend Micro: http://blog.trendmicro.com/the-show-goes-on-more-stagefright-horrors-wit... And 360 mobile security posted that there are other settings to worry about : https://www.linkedin.com/pulse/insight-stagefright-flaws-wei-wei?trk=pro... And last,but certainly not least, your file managers are likely vulnerable if they have a built-in media player.(see link above) So for all you uncaring, who wish to remain ignorant of the realities,your days are numbered. Not if you are ever hacked,but when. Too bad I won't be there to enjoy it! Posted via the Android Central App, HTC Evo 4g LTE ,on Sprint
  • Because no one ever is affected by this shit Posted via the Android Central App
  • +1 Posted via the Android Central App
  • Oh sure,right! That's why Google's Ludwig says that ONLY 15% of total Android devices were infected with some kind of malware,adware,and or spyware. Do you know what 15% of one BILLION devices is? No? Ok, I'll tell you, it is
    ONE HUNDRED AND FIFTY MILLION Devices! Just because you,or anyone you know has not experienced these things, does not discount the facts that others have. Most people don't even know the symptoms of a infected device. Or how to go about identifying the cause of their malfunctioning device's. Their phone could be a part of a botnet and they would never know it,and just scratch their heads wondering why their battery life took a dump one day,or week,and then returned to normal functions. Or, gee, "my data took a big hit last month" Or, "why is my phone overheating" and on and on it goes. These are examples of things that could be harmful,or...harmless. but how would you know? So, go on and be careless if you want,but there are others who do more than play games on their device. And could suffer real losses. And speaking of games,there was RANSOMWARE being served up to tens of thousands of gamers not long ago. But who cares,right? Not you! Posted via the Android Central App, HTC Evo 4g LTE ,on Sprint
  • Find me a first hand account of this or a forum and not some statistic Posted via my Nexus 6
  • Post your number and I'll make you a first hand. Security needs to be taken seriously. Based on statistics someone gets hacked 18 times a seconds. Did you know that some time ago there was a rash of malicious live wallpaper that mined bitcoins for the dev? They have been taken down by now, but still. In the end you are the smug 10 foot tall and bullet proof guy that gets shot and killed.
  • The number he gave was 0.15% not 15%. Sorry I'm a fortnight late, but an error of that magnitude needs pointing out. Wubba lubba dub dub!
  • What?  He was only off by a factor of 100 ;)
  • And this is called fear mongering. A well known exploit. Posted via the Android Central App
  • I got hit over the weekend.This has been the most exhausting,frustrating event in my life.I still dont know exactly what Stagefright does and what all they can do .My phone was older and after receiving the text back from an ad,BAM!My phone was open overnight before I realized that Id been infected.This really sucks.Have new phone but cant access provider account..its like Im still hijacked.Any suggestions?
  • Hi,you should call your provider right away,and you need to change passwords for that account and your Google account soon as possible. Then there are lots of other passwords you will likely need to change. After that,if you still have the old phone,you might want to have it looked at by a computer security person. There is a multitude of Android malware that could have affected your device. But stagefright may have been the delivery method. Google that name to read up on it later. Good luck.
  • Thank you for responding,I am not of of you guys ,I was actually led here through google.When I got hit,my provider and I were even locked out of my account since Saturday...this is some scary stuff.
  • I assume you have regained provider control? What about your Google account? And what is the manufacture of your new phone? Nexus receives the fastest security updates,followed by Samsung,LG,and maybe HTC and Motorola. But Google just put out a patch for several vulnerabilities,and it will take some time before they make it to other phone models. Even marshmallow is not fully patched. Here is a news link to Google's latest patching. There are several new Android malware that could have affected your phone,and a couple can even gain root access without your interaction. There are many articles at security week,and if you do a search on " theregister.com " (Android) you can find all kinds of helpful info. There are too many things,symptoms to cover here that could help narrow down what malware you encountered,but all important passwords need changed,and if you used any credit-cards on you phone to shop,you should probably notify your bank about the breach you experienced. Just a precaution. If you have any further questions,I will try and help. Stay safe.
  • *** This was supposed to be a reply to Justine13 Sorry, I don't have any suggestions. I'm replying to your comment that you don't know exactly what it does. I was messaged by my provider months back about StageFright and they said I would be notified when the patch is available. I also heard an update to my device would carry a fix. So far, nothing has happened. I was watching last night's (Friday) Crime Watch Daily and they did a segment on this. The scariest part to me is even with the phone off, they can hear you through the microphone and see whatever the camera (front or back) is pointing to. It can gain access to everything on your phone. They showed 2 hackers that they hired to hack into a ladies phone. From the hackers end, they showed the viewers that they were looking at and hearing this ladies conversation with a friend at a cafe, as well as pinpointing her location. SCARY!
  • Hello Everyone out there,I am here to give my testimony about a Herbalist called Dr Max Yayan, I was infected with HERPES SIMPLEX VIRUS 2 in 2013, i went to many hospitals for cure but there was no solution, so I was thinking on how i can get a solution out so that my body can be okay. One day I was in the pool side Browsing and thinking where I can go get a solution. I saw a blog on how Dr Max Yayan cured people, i did not believe but i just decided to give him a try, I contacted him and he prepare the herbs for me which i took, and he instructed me to go for check up, after the test i was confirmed herpes negative, i am so happy. If you have any problem or you are also infected with any disease, kindly contact him now with his Email: drmaxyayanspellcaster@gmail.com or call +2347054323588 This testimonial serves as an expression of my gratitude. He also have a herbal cure for COLD SORE, SHINGLES,
    CANCER,
    ASTHMA,
    IMPOTENCE,
    BARENESS/INFERTILITY ... Contact him on this email: drmaxyayanspellcaster@gmail.com , or call his cell phone number on +2347054323588.
  • Soooooooooooo................... Posted via the Android Central App
  • am melissa moore. I cannot believe this. I cannot believe that a man like Dr. ezomo is still in this earth. My beloved brothers and sister fathers and mothers you all need to hear this. I was infected with gentian herpes for more than 5years now. And right now one faithful day my spirit drag me to open the internet and I search and see this man and seeing this man I no is the Gods doing so I decide to talk with him about my problems and he told me he can help me at. At first I was doubting him because for 5years I have been in this situation and now you came from no where and said you will help me. Then I said let me give him a try he ask me to get some items for the process which I did and later he send me something which I take and use it. And told me to go and sleep and once I am wake the next morning I should go for checkup. Which really I did and it was negative. Please if you no you are in any kind of problem try and reach him true email: drezomospellhome@hotmail.com and receive your own 0r contact me at mellisamoore25@gmail.com for more information?
  • "This is *an exploit" is the graver mistake in the article. :P But in all seriousness, it is an exploit and should be taken seriously especially given the nature of the auto-load video 'functionality'.
  • Google's response could be a bit more precise and specific. For example, (not an actual quote) "Android has this, this, and this which will prevent this exploit from affecting users in a meaningful way".
  • That's what I thought. It's so vague as to be lacking credibility. You just hope it's vague because they don't want to tell hackers how they're going to be blocked.
  • Yeah? So that exploiters know what to deal with next?
  • Acknowledging it would not help an exploiter.
  • They like to pretend if they don't say anything it will go away on its own.
  • I suspect it has more to do with not wanting to get super technical about application sandboxing and ASLR in a press release that intended to be intelligible to the "average" user.
  • If you are using hangouts for SMS, is the fix as simple as going into settings and turning off "Auto-retrieve MMS messages"? Then if you get a message from an unknown number you just ignore it?
  • Good question. Posted via the Android Central App
  • That is too simple of a solution and can not be expected to be used. Google will push out a solution to nexus devices. Samsung will advise you buy the now patched Galaxy s 6. Everyone else will hope you don't notice there hasn't been an update to your phone for a while until they can get their next flagship out, then they'll travel Samsung's road.
  • "Samsung will advise you buy the now patched Galaxy S6"....lololol!!
  • That was my initial thought as I was reading.
  • I have a choice of Hang Outs and the default messaging app. The default messaging app has the option to uncheck 'auto-retrieve' but it doesn't mention if it's MMS or what. I'm pretty close to stock using an un-tinkered with Moto G.
  • I think it's MMS, because if you notice, it's below the MMS section.
  • Yes.  It *could* still be possible for someone you know to send you an MMS message that contained the exploit, but seems less likely.  As the article state, it's very unlikely to be a problem, if you're running Android 4.0 or newer, but turning off Auto-Retrieval of MMS messages means that you have an extra layer of control in deciding if you want to download MMS messages.
  • If we have to wait for, say, Verizon to get around to pushing this out, it'll be 8-16 months if their track record is any indication.
  • How original, a dig a Verizon and their slow paced updates. You've probably been waiting 8-16 months to use that!
  • We see what you did there Posted via the Android Central App
  • Troller no trolling.
  • Swiper, no swiping!
  • I'm soak testing a reply to your post. It should be ready sometime in Q2 2015!
  • Actually the one great thing about Verizon is they are very keen and very fast for fixing security exploits of every kind and push them out very fast. Verizon's knows it's regular customers are going to be going to them first for any and every problem with their phones. As much as I dislike Verizon, and I'm a customer, they are on top of security patches. Remember when my D1, stopped getting OS updates, but verizon still pushed out security patches to it in a timely manner after it stopped supporting the phone.
  • I don't use Hangouts for messaging. I assume that Messenger does not auto play video. Still, updates should be pushed out if they have not been already on ALL phones, on all carriers (I'm looking at you, VZW).
  • Hangouts is updated through the Play store, the messenger app depends on your manufacturer. Have most moved the messenger app to the play store yet? I need to find out how mine is updated.
  • Probably referring to the Google Messenger app, which is in the Play Store. (Not manufacturer-supplied ones, as those mostly aren't in the Play Store) Posted via the Android Central App
  • Yes, I am talking about Google's own Messenger app downloaded from the Play Store.
  • Turned off Auto MMS receive in Messenger settings, just in case.
  • I'm running the latest version of Android hopefully it not an issue on a brand new nexus right... And let's not forget about , effective. 
    Power
    لُلُصّبُلُلصّبُررً ॣ ॣh ॣ ॣ
    冗 Posted via the Android Central App
  • How (or actually why) could a media file have an executable that the OS will run, especially with system privileges ?
    I mean, Why would the OS need to execute there something? Isn't this sort of thing just a readable type of file?
  • It will likely be some kind of vulnerability in StageFright that corrupts that stack and allows a stack return pointer to point in to the media file in memory, or something, although in that case, I'd expect the XN (Execute Never) facilities in ARMv6 onwards to stop that being executed (those facilities are designed to only allow execution from memory that has been specifically flagged as containing executable code). I'm probably being naive to trust technologies like that, though!
  • But it's a media file, something that other software is supposed to just read from it, not to execute anything... Just extracting a bitmap or something to show to the user...
    How could it corrupt anything? If the data is unreadable, it should just be marked as "invalid/corrupt" or something.
    A very weird bug.
  • It's probably a very typical bug known as a buffer overflow. A bug in the code that reads the video allows carefully crafted invalid input to write data past the end of a section of memory called a buffer, overwriting memory that's located physically just after the buffer, that contains executable code. Then the attacker's code is executed instead of the original code that was present at that location.
  • Could be. But isn't this kind of putting the code memory outside of its place a bit random?
    I mean, what chance is there that the exact piece of code will be executed , instead of only a part of it that's probably harmless (or can crash) ?
  • That should be one of the "protection mechanisms" newer versions of Android have. Position independent executables and ASLR make this kind of exploitation harder, but not impossible (i.e. Nop-sledding into mmapped bionic libc functions (which is still impeded by ASLR)). I'm also not sure whether or not Stagefright was compiled as a PIE or not... Of course, if the exploit works on some other mechanism that ASLR can't protect against, all safety bets are out the window; Stagefright isn't truly sandboxed in the same way a Dalvik/ART executable can be.
  • I don't know about most of the terms you've written, but the last sentence summarizes it all.
    I hope that at least for the relatively new versions of Android, this isn't a major security issue.
  • Huh?
  • Yet another reason why Apple will claim why they are better. Posted via the Android Central App
  • We are just 2 months out from Apple dealing with their own SMS exploit that was taking down the majority of their devices
  • http://www.express.co.uk/life-style/science-technology/580211/iPhone-Mes...
  • I think the bug in the iOS/OSX keychain is a bit more serious:
    http://www.cultofmac.com/326567/mac-ios-malware-vulnerability/
  • Not to mention the bug that allowed websites to install "fake" versions of apps that could steal users' data, just by having the user click a link in an email or on a web page.  No system is immune to security vulnerabilities.  And the more complex (an convenient) the system gets, the harder it is to keep it secure.
  • So you got good hackers and bad hackers. Good hackers find a weakness, the news reports it. Bad hackers read article that says bad hackers haven't used exploit yet. Now bad hacker knows about exploitable exploit about to be exploited, by him... if it were actually something serious. Why does the media do this? It's so moronic. The important scary stuff never actually gets to the media, too much investment at stake. It's the pitiful crap like this that no real hacker cares about (because it's been exploitable for FIVE FREAKING YEARS and no has cared about it, nor do they now) that gets the laymen all up in arms and huffy puffy over. So thanks media for getting us all riled up over nothing. And if it is something, thanks for advertising an unresolved issue to the whole world via a click of the mouse, so it's more of a something than it ever should have been.
  • Isn't that what media does, anyway?: They use shock value to frighten everyone into immobility. The fear card then raises, the US wastes $trillions, thus becoming a 3rd-world nation. Little kids can't then ride their bikes alone near their neighborhoods, nor may they play with horned toads and bugs in fields and vacant lots. They can't then obtain decent immunity--thus they must increasingly depend even more heavily upon our idiot, clueless, and corrupt medical system. Thus, the kids stay in their homes--"safely" with their phones and tablets--not knowing anything at all about nature while also becoming fat, diabetic, and a coronary concern. Their food is no good, since it's become so cheapened, nutrient-deficient, and chemical-laden--familiar diseases like ADD and autoimmune disease arise. When the temperature outside finally hits 150deg. F, or their houses burn up or wash away--they may then proved puzzled and concerned, in the end. What may they do then?: In vain, they'll Google for an easy, one-step solution--one which requires the least effort....
  • Does anyone know what sort of access permissions the malicious code would have? I've read everthing from just the media files to "full control of your device."
  • The researcher who found the exploit "discovered a multitude of implementation issues with impacts ranging from unassisted remote code execution down to simple denial of service". I suspect that since stagefright is part of the core OS, it might run with an high level of privilege.
  • I smell another FUD article from Rene Bitchey coming later today from iMore... Posted via the Android Central App
  • So if you received one of these texts, would a scan from something like Lookout, show anything?
  • No! The exploitation can erase the mms before you ever see it,ands if you are lucky,you may see a notice to a non exiting message. The real problem here ,and is being downplayed by AC and Ludwig as usual, will be the attacks or spyware you never see or detect,or it will be combined with other malware to say,lock you out with ransomware. Its just a matter of time until this is used,and then,even then,Google will simply say,"see,we already fixed it" not my problem. Posted via the Android Central App, HTC Evo 4g LTE ,on Sprint
  • Well, why shouldn't Google say that? This is the carriers' fault if they can't get a critical patch out in 90 days....
  • Yes but it's Google's problem. Google wants people to use Android, so anything hindering that (i.e. manufacturers and carriers) is a huge problem to Google. Fragmentation should be top on Google's list of things to remediate (though I have no idea how it would do it).
  • Exactly. via AC App
    on VZW Moto X 2014/2013 DE/N7
  • Couldnt this be fixed with a play services update? Perhaps it has already been pushed.
  • This is what I was thinking. This seems like the kind of thing that could be addressed via a Google Ply Services update.
  • I'm guessing no, if it's a problem with a mdeia component of the core OS. But I'd think they'd at least patch the vulnerabilty in Hangouts so it doesn't process video automatically. Actually, if they've known about this for months, I'm not sure why they haven't already.
  • It could affect the built-in messaging app as well, which would not be fixed until that OEM pushed out the update for their specific app.
    Our lead grey-hat hacker laughed because zero people have been affected, the exploit is difficult to use effectively because of the memory management since Android 4.0 (probably why no one has bothered using it), and it take 5 seconds to render this exploit useless. In your message app, go to settings then multimedia messages, and un-check auto retrieve. Done.
  • Here's what I wish. I wish a vulnerability so easy to exploit and so severe would happen that it would cause Google, the OEMs and the carriers to all sit down and rethink how security updates are handled. I think it will take something like this before they get serious about it.