Stagefright wakes up the mobile eco-system - Zimperium

Not everyday you get to wake up an entire eco-system !

Stagefright discovery by Joshua Drake (@jduck) at Zimperium – Mobile Threat Protection. At the time of writing this blog, ZHA has more than 25 members, comprising top 3 Android smartphone vendors, and 5 out of top 10 mobile carriers (by revenue) globally. Zimperium Handset Alliance (ZHA) members are the first to receive security patches, updates on new vulnerabilities, and other important mobile security related information from other members of ZHA. Vendors and carriers that wishes to join ZHA, apply here.

Please keep in mind that we are vetting applicants in an effort to ensure that sensitive information disseminated via this alliance stays within organizations actually charged with responding to Android security issues.

Update: A twitter user wrote that he has an information leak vulnerability in libstagefright that allows to bypass ASLR – which would make the vulnerability dangerous even on 5.1.1 before the latest Stagefright update.

1. Last week, Stagefright patches and POC files were made public by Zimperium.
2. Zimperium zLabs released an app to test if your device is vulnerable to Stagefright related CVEs. The Stagefright Detector app can be downloaded for free from the Google Play Store.
3. Carriers and Vendors are uniting through ZHA to provide security updates to end-users
4. Watch the video produced by zLabs demonstrating  Remote Code Execution (RCE) without user-interaction on Nexus 5 running Android 4.0.4

You can watch the Stagefright demo video on ICS here:

The entire Android eco-system is working together to solve the Stagefright vulnerabilities. Selected list of recent announcements regarding the impact of Stagefright on Android updates:

• Motorola, says updates will be handed off to carriers next week
• AT&T patches Stagefright vulnerabilities for Galaxy S6 Active, Note 4, S5 and S5 Active
• Verizon & T-Mobile Roll Out Stagefright Patch for Samsung Galaxy S5, Galaxy Note Edge and Galaxy Note 4
• Samsung, Google & LG to provide monthly Android security updates following the discovery of the vulnerabilities
• Sprint: Samsung Galaxy Note 4 on Sprint Gets Update With Stagefright Fix, Android 5.1.1 Too
• HTC is rolling out patches
• Deutsche Telekom is turning off auto-retrieval of MMS until vulnerabilities in Stagefright library are patched.
• Sony update Xperia Z series

According to Adrian Ludwig from Google, following devices will receive an update to patch libstagefright vulnerabilities:

• Samsung: Galaxy S6, Galaxy S6 edge, Galaxy S5, Galaxy S4, Galaxy S3, Note 4, Note 4 edge, Note 3.
• Google: Nexus 4, Nexus 5, Nexus 6, Nexus 7v2, Nexus 9, Nexus 10
• LG: G2, G3, G4
• HTC: One M7, One M8, One M9
• Sony: Xperia Z2, Xperia Z3, Xperia Z4, Xperia Z3 Comp

And hundreds more!

Google’s Adrian Ludwig at Blackhat 2015. Credit: Max Eddy, PCMag – @wmaxeddy

Zimperium zLabs