Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Android Stagefright multimedia viewer prone to remote exploitation - SANS Internet Storm Center SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Android Stagefright multimedia viewer prone to remote exploitation
Joshua J. Drake from Zimperium zLabs has reported a number of vulnerabilities in the Stagefright media playback system deployed in Android operating system devices. These vulnerabilities permit remote code execution when a specially crafted multimedia message (MMS) is sent to an Android device which can result in the device being compromised and Trojaned often exposing all data stored on the device. On some devices it appears that the MMS exploit can be executed with no intervention from the user and in some cases can be exploited completely invisible to the user.  
It looks like the issue affects all versions of Android 2.2 (Froyo, released 2010) and newer although there is some speculation that exploit mitigation controls in the Android Jelly Bean OS (version 4.1+) and newer may thwart some exploits, but the usefulness of these controls is unclear at this time..  It is also unclear from the information available today if patches are available.  Google has released patched code to the smartphone vendors, but it appears most device vendors have not yet released updated firmware to the public at this time. 

The CVE's for these vulnerabilities are:

CVE-2015-1538, CVE-2015-1539, CVE-2015-3824, CVE-2015-3826, CVE-2015-3827, CVE-2015-3828, CVE-2015-3829

​It should be assumed that almost all Android devices are vulnerable, so please keep an eye out for updated firmware for your device and apply the firmware as soon as available.


Update: Ugo sent a link to a blog post by Greg Bauges which describes some configuration changes which can be made on the Android device which will disable the automatic loading of MMS messages. While these changes do not stop the vulnerability from being exploited it at least makes it so the device user is aware the malicious MMS was received and run.

Update: I have been having discussions about the potential of these vulnerabilities for weaponization into a worm. Bruce Schneier has waded in with a similar idea.

-- Rick Wanner MSISE - rwanner at isc dot sans dot edu - - Twitter:namedeplume (Protected)


324 Posts
ISC Handler
Jul 28th 2015
CyanogenMod 12.1 nightlies have had the fix for a couple of weeks apparently:

9 Posts

Looks like there's more.

135 Posts

Sign Up for Free or Log In to start participating in the conversation!