Zimperium Publishes Android Stagefright Bug Sample Code
More than a month after the Stagefright bug was publicly announced, mobile security company Zimperium has publicly outed a sample code showing how attackers can use it.
The Stagefright bug, reported by mobile security startup Zimperium's VP for Platform Research and Exploitation, Joshua Drake, and publicly announced in July this year, now has a sample code published showing how the bug could be exploited by attackers.
Zimperium, had warned Google back in April about multiple critical vulnerabilities in Android, which it dubbed "Stagefright," a bug which renders mobile devices vulnerable to outside attacks via MMS. Attackers could send a loaded MMS that would gain them root access to a device without users being aware of it.
The security company's sample code showed how attackers could exploit the Safefright media library's most critical vulnerability by generating an MP4 using a Python script, and creating a reverse command shell to allow them to perform a number of commands on the compromised electronic device, including taking pictures or listening through the Android device's microphone remotely.
Zimperium has tested the code on a Nexus phone running Android 4.0.4, but has said the code may not work on a majority of Android devices, particularly those running Android 5.0 and above.
Zimperium said it had released the code to give other security teams, bug testers, and IT administrators enough leeway to test it on their own systems to check for vulnerabilities, as well as to pressure Google, its telco partners, and other device manufacturers to fix Stagefright at the earliest possible time.
Zimperium recently debuted its Stagefright Detector app that's now available for download on Google Play. Stagefright Detector acts to validate whether Android versions running on electronic devices are vulnerable to Stagefright, what common vulnerabilities and exposures (CVE) a device is defenseless against, and whether a user needs to update their mobile OS.
Stagefright Detector has recently added support for additional devices, including TV and X86, as well as bug fixes.