How to Get Over the New Stagefright…On Android

It was July 27th, 2015. A day that will live infamy. No, obviously that’s not the day that Hollywood Hulk Hogan joined the New World Order™. It’s the day that the original Stagefright exploit was discovered for Android. This exploit effectively allowed 95% of Android devices to be cracked into via an MMS message that you would receive from a bad actor, and would use Android’s stock Stagefright media player package (or: mediaserver) to get access to the rest of the device and have near-total control of it, grabbing data and even being able to send other text messages, etc., perpetuating the vicious circle of the original Stagefright.

Stagefright was pretty serious at the time, and really that original Stagefright problem hasn’t been solved by many manufacturers (even my ASUS Zenfone 2 came with MMS-ability turned off by default, and that was in 2016).Screen-Shot-2015-07-27-at-10.32.45-1940x1271

I did a write-up about this back in July of 2015, and assuaged the concerns of readers of the Dark Android Project that they were likely not affected at all by Stagefright (as long as they were following most of my laid-out Dark Android principles). The simple solutions were to have MMS turned off, and to use the Firefox for Android web browser (or Firefox-based browser, anyways) as your default browser. The reason that using Firefox solved the problem is that, first off, Mozilla patched the Stagefright vulnerability right away (before Google even did), and because Firefox uses a separate suite of security certificates from the rest of the Android operating system. That means what affects Android itself doesn’t (necessarily) affect Firefox, and vice-versa.

SIDE NOTE: Stagefight 2.0, which was revealed in October 2015, also occurred, but infected your Android device in a different way, but couldn’t affect as many devices. Stagefright 2.0 used MP3 or MP4 files to allow for the injection of malicious code onto your device. But this was an easily solvable problem. Don’t download videos or MP3s that you don’t absolutely trust and trust the source of, and again, use Firefox as your web browser to sandbox the playing of MP3s or MP4s from the rest of your system.

Regardless of solutions, Stagefright seems to be a pretty exploitable piece of code as a new exploit has been discovered…but I’m not sure if we should call it Stagefright 3.0. For the sake of this post, I will.

How Stagefight 3.0 works is that you somehow (social engineering, sending of a link, etc.) get tricked into visiting a specific (malicious) website set up by the attacker. That website then starts to play a video that crashes Android’s Stagefright mediaserver software. When your Android device’s mediaserver software restarts, the attacker then sends a video file (like was used in Stagefright 2.0) that will send relevant data to the attacker and allow them to spy on your device from then on. All of this happens in, literally, 10 seconds.

Sound confusing? Well, don’t worry, this is one of those exploits that is “academic”…as in, it’s likely not usable or implementable in the real world, and there have been no reports of Stagefright 3.0 being encountered in the wild. So this is a case of news sources largely making much ado about nothing.

That doesn’t mean that manufacturers and tech companies don’t take this seriously. In short order, many companies will likely have this solved. As far as a solution, again, not clicking on random links that get sent to you, and using alternative web browsers on Android like Firefox or anything Firefox-based that separate and (in many ways) sandbox your browsing activity from the rest of the operating system will keep these kinds of exploits from even being an issue.

So relax. While this is a very real exploit, it’s not one that much of anyone can use outside of an environment where it’s being tested. This (likely) isn’t going to get used on you on your way to, or while you’re in, Starbucks. And if you just up your personal security game a little bit (by following just some of the ideas in the Dark Android Project), most of the exploits you hear about for Android won’t affect you either.

You can go through the full research paper [PDF] on Stagefright 3.0 if you feel so desirous.

Breathe, Neo. Just breathe….

Carpe lucem!