How to hack Android devices using the StageFright vulnerability [updated 2021]
In July 2015, mobile security firm Zimperium declared it discovered a high-severity vulnerability inside the Android operating system. The critical flaw exists in a core component named "StageFright," a native media playback library Android uses to record, process and play multimedia files.
Further details were disclosed publicly at the BlackHat conference in August 2015 — but not before the news revealed billions of Android devices could potentially be compromised without users knowing. Researchers stated StageFright's weaknesses are all "remote execution" bugs, enabling malicious hackers to infiltrate Android devices and exfiltrate personal data.
What should you learn next?
How does StageFright work?
StageFright can use videos sent through MMS as a source of attack via the libStageFright mechanism, which assists Android in processing video files. Several text messaging applications — including Google Hangouts — automatically process videos so the infected video is ready for users to watch as soon as they open the message. For this reason, the attack could take place without users even finding out.
It seems laborious, but it works within a matter of seconds: a typical StageFright attack breaks into a device within 20 seconds. And while it's most effective on Android devices running stock firmware like Nexus 5, it's known to function on the customized Android variants running on phones like the Samsung Galaxy S5, LG G3 and HTC One. StageFright's popularity made it the first mobile-only threat featured on WatchGuard Threat Lab's top-ten list of hacking attacks detected by IPS in 2017.
How to use StageFright to hack android
The StageFright component is embedded in native code (i.e., C++) instead of memory-safe languages such as Java because media processing is time sensitive. This itself can result in memory corruption. Researchers, therefore, analyzed the deepest corners of this code and discovered several remote code execution vulnerabilities attackers can exploit with various hacking techniques, including methods that don't even require the user's mobile number.
Here are the three most popular StageFright hacking techniques.
1. Place the exploit in the Android app
In the original hacking method (discussed later), the hacker had to know the user's mobile number to trigger StageFright via MMS. If an adversary wants to attack a large number of Android phones with this message, he/she should first gather a large number of phone numbers and then spend money on sending out text messages to potential victims.
Alternatively, the hacker can embed the exploit in an Android app and play the infected MP4 file to trigger the StageFright exploit.
Researchers demonstrate Simple Media Player playing a malformed MP4 file. The PID of the media server changes, causing it to crash and restart.
2. Embed exploit in HTML webpage
The adversary embeds the infected MP4 file into an HTML web page and publishes the web page on the Internet. Once a visitor opens the page from his/her Android device, the malicious multimedia file is downloaded, resetting the internal state of the device. The attacker's server then transmits a custom-generated video file to the victim's device, exploiting the StageFright vulnerability to reveal more details about the internal state of the device. Using the details sent by the exploit to the hacker's server, the hacker is able to control the victim's smartphone.
This new method also guides white hat hackers, black hat hackers, and even government spying organizations in developing the StageFright exploit for themselves.
3. Using multimedia messages (MMS) to exploit
With this method, the adversary requires your phone number. They then send you an MMS with an infected MP4 file. When the file is downloaded, the hacker remotely executes malicious code on your Android device that can result in the compromise of your private information or loss of data.
And because users get a preview of any message received over the air on all the newest versions of Android OS, this means that the attached malicious file is downloaded automatically. In addition, apps like Hangouts have an auto-retrieve feature. This increases the severity of the threat as it doesn't require users to take any action to be exploited.
Essentially, the adversary can just send the message, trigger the code and wipe the trace while the victim is sleeping (the message can be deleted even before the user sees it). The next day, the user continues using his/her affected phone without knowing about the compromise.
Become a Certified Ethical Hacker, guaranteed!
Get training from anywhere to earn your Certified Ethical Hacker (CEH) Certification — backed with an Exam Pass Guarantee.
How can I protect my Android device from stagefright attacks?
Google has patched the bug in the latest release of Android OS. However, a large number of Android users have an older version of Android, so it is up to their devices' manufacturers to safeguard the devices against StageFright.
Since it sometimes takes manufacturers a long time to release patches, here is a list of things users can do to reduce their risk exposure to StageFright vulnerability.
- Disable mms auto-retrieval: Users can find this option in message settings. Once disabled, MP4s won't download automatically — they will require the user to tap a placeholder or a similar element. Therefore, there's no risk unless the user opts to download the MMS.
- Install apps from the official Play Store: Instead of downloading apps via third-party websites, users should look for their official Play Store versions. It's also a good idea to read app reviews before proceeding with the installation.
- Be vigilant when visiting web pages: Do not click or open suspicious links on the Internet. Click-bait titles may tempt you into downloading attachments, but it's always smart to run a self-diagnosis of the site before taking an action. Does it look legit? Does a similar site also require you to download attachments? Answering questions like these will enable you to make an informed decision.
Android 7.0 Nougat came with a rebuilt media playback system that's designed to protect against the StageFright family of exploits. However, several device owners are running the old Android OS with an outdated media server. Hence, the above-mentioned preventive measures are more of a necessity than an option when it comes to protecting Android against StageFright.
Check out this article about Android hacking tools:
Enroll in an Ethical Hacking Boot Camp and earn two of the industry’s most respected certifications — guaranteed.
- CEH exam voucher
- PenTest+ exam voucher
- Exam Pass Guarantee
- Live online hacking training
In this Series
- How to hack Android devices using the StageFright vulnerability [updated 2021]
- The rise of ethical hacking: Protecting businesses in 2024
- How to crack a password: Demo and video walkthrough
- Inside Equifax's massive breach: Demo of the exploit
- Wi-Fi password hack: WPA and WPA2 examples and video walkthrough
- How to hack mobile communications via Unisoc baseband vulnerability
- How to build a hook syscall detector
- Top tools for password-spraying attacks in active directory networks
- NPK: Free tool to crack password hashes with AWS
- Tutorial: How to exfiltrate or execute files in compromised machines with DNS
- Top 19 tools for hardware hacking with Kali Linux
- 20 popular wireless hacking tools [updated 2021]
- 13 popular wireless hacking tools [updated 2021]
- Man-in-the-middle attack: Real-life example and video walkthrough [Updated 2021]
- Decrypting SSL/TLS traffic with Wireshark [updated 2021]
- Dumping a complete database using SQL injection [updated 2021]
- Hacking clients with WPAD (web proxy auto-discovery) protocol [updated 2021]
- Hacking communities in the deep web [updated 2021]
- Hashcat tutorial for beginners [updated 2021]
- How to hack a phone charger
- What is a side-channel attack?
- Copy-paste compromises
- Hacking Microsoft teams vulnerabilities: A step-by-step guide
- PDF file format: Basic structure [updated 2020]
- 10 most popular password cracking tools [updated 2020]
- Popular tools for brute-force attacks [updated for 2020]
- Top 7 cybersecurity books for ethical hackers in 2020
- How quickly can hackers find exposed data online? Faster than you think …
- Hacking the Tor network: Follow up [updated 2020]
- Podcast/webinar recap: What's new in ethical hacking?
- Ethical hacking: TCP/IP for hackers
- Ethical hacking: SNMP recon
- How hackers check to see if your website is hackable
- Ethical hacking: Stealthy network recon techniques
- Getting started in Red Teaming
- Ethical hacking: IoT hacking tools
- Ethical hacking: BYOD vulnerabilities
- Ethical hacking: Wireless hacking with Kismet
- Ethical hacking: How to hack a web server
- Ethical hacking: Top 6 techniques for attacking two-factor authentication
- Ethical hacking: Port interrogation tools and techniques
- Ethical hacking: Top 10 browser extensions for hacking
- Ethical hacking: Social engineering basics
- Ethical hacking: Breaking windows passwords
- Ethical hacking: Basic malware analysis tools
- Ethical hacking: How to crack long passwords
- Ethical hacking: Passive information gathering with Maltego
- Ethical hacking: Log tampering 101
- Ethical hacking: What is vulnerability identification?
- Ethical hacking: Breaking cryptography (for hackers)
- Ethical hacking: Attacking routers
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
