Stagefright exploit code now available to the public

If you thought that the Stagefright nightmware was over, or at least on its way out, you might want to think again. More than two months since it went public with the severe Android vulnerability, mobile security outfit Zimperium is now also making public actual working code that exploits this security hole. This while Google, device manufacturers, and carriers are still scrambling to roll out patches to devices, some of which still remain exposed to this outbreak. Now they have more pressure to pick up the pace.

Although the Stagefright vulnerability has been reported in April and May, it was only in late July that Zimperium decided to go public with the information, as the usual disclosure practice goes. The media frenzy that followed after did bear some good fruits. Google responded by promising more regular security bulletins and monthly updates to its Nexus devices. Samsung, followed by some major OEMs, followed suit and promised to improve the update process and response time. The past weeks, we've seen updates that explicitly carry patches to close down Stagefright.

Sadly, it is far from over. Not all OEMs and carriers have rolled out the necessary fixes to affected devices. After the initial fervor, sparked by a bit of hysteria, things even seemed to have cooled down and there is a chance that, without some persistence, things could go back to the status quo. And some of the exploits actually remain open even with alleged patches.

After waiting for good things to happen, Zimperium has decided to go ahead with its promise to release exploit code to the public in the interest of proper dissemination and probably some incentive to the involved parties to really start pushing for changes. The code, written in Python, creates a malicious MP4 file that will give attackers a "reverse shell", allowing him or her access to microphone and camera and record the user without his or her knowledge.

Some might take issue with Zimperium now giving hackers some ammo to take advantage of the existing exploit, though this is a well-known, but not always well accepted, security practice. At best, it serves as a more immediate and critical incentive for software makers and related channels to work faster. The one silver lining to this public release is that the exploit doesn't work on devices running Android 5.0 or higher. Given that Android Lollipop now runs on 21 percent of the devices in the wild, that at least mitigates the exploit's reach.

VIA: Ars Technica