In July 2015, mobile-security firm Zimperium declared it discovered a high-severity vulnerability inside the Android operating system. The critical flaw exists in a core component named “StageFright,” a native media playback library Android uses to record, process and play multimedia files.

Further details were disclosed publicly at the BlackHat conference in August 2015 — but not before the news revealed billions of Android devices could potentially be compromised without users knowing. Researchers stated StageFright weaknesses are all “remote execution” bugs, enabling malicious hackers to infiltrate Android devices and exfiltrate personal data.

How Does StageFright Work?

StageFright can use videos sent through MMS as a source of attack via the libStageFright mechanism, which assists Android in processing video files. Several text messaging applications — including Google Hangouts — automatically process videos so the infected video is ready for users to watch as soon as they open the message. For this reason, the attack could take place without users even finding out.

It seems laborious, but it works within a matter of seconds: a typical StageFright attack breaks into a device within 20 seconds. And while it’s most effective on Android devices running stock firmware like Nexus 5, it’s known to function on the customized Android variants running on phones like the Samsung Galaxy S5, LG G3 and HTC One. StageFright’s popularity made it the first mobile-only threat featured on WatchGuard Threat Lab’s top-ten list of hacking attacks detected by IPS in 2017.

How to Use StageFright to Hack Android

The StageFright component is embedded in native code (i.e., C++), instead of memory-safe languages such as Java, because media processing is time sensitive. This itself can result in memory corruption. Researchers therefore analyzed the deepest corners of this code and discovered several remote code execution vulnerabilities attackers can exploit with various hacking techniques, including methods that don’t even require the user’s mobile number.

Here are the three most popular StageFright hacking techniques.

1. Place Exploit in Android App

In the original hacking method (discussed later), the hacker had to know the user’s mobile number for triggering StageFright via MMS. If an adversary wants to attack a large number of Android phones with this message, he/she should first gather a large number of phone numbers and then spend money in sending out text messages to potential victims.

Alternatively, the hacker can embed the exploit in an Android app and play the infected MP4 file to trigger the StageFright exploit. Here’s a video of the concept:

Researchers demonstrate Simple Media Player playing a malformed MP4 file. The
PID of the mediaserver changes, causing it to crash and restart.

2. Embed Exploit in HTML Webpage

The adversary simply embeds the infected MP4 file into an HTML web page and publishes the web page on the Internet. Once a visitor opens the page from his/her Android device, the malicious multimedia file is downloaded, resetting the internal state of the device. The attacker’s server then transmits a custom generated video file to the victim’s device, exploiting the StageFright vulnerability to reveal more details about the internal state of the device. Using the details sent by the exploit to the hacker’s server, the hacker is able to control the victim’s smartphone. Watch the proof of exploit below:

This new method also guides white hat hackers, black hat hackers and even government spying organizations on developing the StageFright exploit for themselves — here’s the
PDF manual.

Ethical Hacking Training – Resources (InfoSec)

3. Using Multimedia Message (MMS) For Exploit

With this method, the adversary just requires your phone number. They then send you an MMS with an infected MP4 file. When the file is downloaded, the hacker remotely executes malicious code on your Android device that can result in compromise of your private information or loss of data.

And because users get a preview of any message received over the air on all the newest versions of Android OS, this means that the attached malicious file is downloaded automatically. In addition, apps like Hangouts have an auto-retrieve feature. This increases the severity of the threat as it doesn’t require users to take any action to be exploited.

Essentially, the adversary can just send the message, trigger the code and wipe the trace while the victim is sleeping (the message can be deleted even before the user sees it). The next day, the user continues using his/her affected phone without knowing about the compromise.

How Can I Protect My Android Device From StageFright Attacks?

Google has patched the bug in the latest release of Android OS. However, a large number of Android users have an older version of Android, so it is up to their devices’ manufacturers to safeguard the devices against StageFright.

Since it sometimes takes manufacturers a long time to release patches, here are a list of things users can do to reduce their risk exposure to StageFright vulnerability.

  1. Disable mms auto-retrieval: Users can find this option in message settings. Once disabled, MP4s won’t download automatically — they will require the user to tap a placeholder or a similar element. Therefore, there’s no risk unless the user opts to download the MMS.
  2. Install apps from official Play Store: Instead of downloading apps via third-party websites, users should look for their official Play Store versions. It’s also a good idea to read app reviews before proceeding with the installation.
  3. Be vigilant when visiting web pages: Do not click or open suspicious links on the Internet. Click-bait titles may tempt you into downloading attachments, but it’s always smart to run a self-diagnosis of the site before taking an action. Does it look legit? Does a similar site also require you to download attachments? Answering questions like these will enable you to make an informed decision.

Android 7.0 Nougat came with a rebuilt media playback system that’s designed to protect against StageFright family of exploits. However, several device owners are running the old Android OS with an outdated mediaserver. Hence, the above-mentioned preventive measures are more of a necessity than an option when it comes to protecting Android against StageFright.