Frustration by CISOs with the security of the Android ecosystem continues to increase. The latest reason comes from NorthBit, an Israeli security firm, which said in a report this week it has created a new proof of concept exploit of a bug in Android’s multimedia library that will defeat even recently-issued patches.
That bug, called Stagefright, affects millions of handsets running Android versions 4.0, 5.0 and 5.1 as well as other versions thought to be protected because they run address space layout randomization (ASLR) within the Mediaserver component or had been patched since Stagefright was revealed last summer.
NorthBit dubs its exploit Metaphor and says its research is largely based on exploit38226 by Google and the research blogpost in Google’s Project Zero: Stagefrightened.
Briefly, a victim has to be tricked to clicking on a link to a website hosting a malicious video — perhaps in a targeted attack through an email or SMS message, or by compromising an ad network. The first attempt to load the video makes the player crash and restart, and as it does it sends data on the phone to an attacker who checks for the vulnerability. If it is vulnerable a new video is uploaded that includes malware allowing the phone to be taken over.
“Our exploit works best on Nexus 5 with stock ROM,” the NorthBit paper says. “It was also tested on HTC One, LG G3 and Samsung S5, however exploitation is slightly different between different vendors. Slight modifications were needed. It’s important to note that this is a remote code execution vulnerability, it may still be necessary to elevate privileges of the mediaserver process as different vendors gave mediaserver and its groups different permissions.”
Threatpost.com quotes IDC mobile analyst saying the report is another example of the weaknesses in Android fragmentation and that wireless carriers are slow in issuing and deploying software patches to their subscribers.
“This is one more serious Android vulnerability that will hopefully push Google and wireless carriers to more effectively work together on patch management,” the analyst said.
In an email interview this morning Forrester Research analyst Jeff Pollard noted that enterprise/mobile device management solutions that offer secure containers or isolation environments for business applications and data are protected – at least they appear to be. “However,” he added, “those solutions offer no protection to the end user of the technology. That might lessen the risk to the business, but not to the individual. Given that distribution of the exploit can occur via an email with a malicious link, it’s difficult for those solutions to stop an attack in that manner since its unreasonable to disable email receipt, web browsing, or media playback for a user.
EDM/MDM solutions can still make sense, he added, primarily because they offer some degree of protection for business data. In addition, CISOs have to ensure awareness of the potential problem is known to their Android user and customer base. “If MDM/EDM technologies have the ability to patch systems encourage it, primarily because the telco/android ecosystem can take quite a long time to deploy mitigations on OTA (over the air) networks. Providing links to websites or the open source tools created by researchers to check for the vulnerability is a great start, along with offering assistance in helping users deploy available patches. For companies with a large mobile presence in terms of activity or user base on the customer side, they should also find a way to advocate, assist, and inform to help their users understand and potentially mitigate issues as well.”