Page 44 - index
P. 44







and independent of the Linux kernel. This keeps apps from detrimentally interfering with each other
or with the operating system.

This means program processes rely
on IPC or inter-process
communications to work together.
This is known as application
sandboxing (or application
containerization), and one of the
alleged advantages of this is that
keeping applications isolated
improves overall security.

Stagefright is what processes media
in Android’s MediaServer, written
primarily in C++. It handles all video
and audio files, and provides
playback facilities. It also extracts
metadata for the Gallery (like thumbnails or dimensions of a video).


How Stagefright reaches you


So it might be fair to assume that since the programs on your phone are sandboxed, most aspects
of the system are safe from a single vulnerability. But while the compartmentalized nature of
Android is supposed to keep programs from interfering, MediaServer is a very privileged service
that has access to audio, bluetooth, camera, internet, and more. What’s worse, many phone
manufacturers have given the Stagefright component system permissions on their devices, which is
only a step below root access.


In layman’s terms: a hacker could gain access to your entire device.

An attacker only needs your phone number to conduct a successful hack. He or she could remotely
execute code through a video sent via MMS. It would require no action on your part, as Android
phones are set to preload videos. The attacker can even delete the message after sending it,
leaving you with little more than a mysterious notification.

If that doesn’t sound horrifying enough, that isn’t the worst of it. The reality is, that’s just one way
that the vulnerability can be exploited. It’s up to the hackers of the world to discover the rest.


Who figured this out?

Joshua J. Drake, an Android security expert, is the man behind the research. He is the Senior
Director of Platform Research at Zimperium Enterprise Mobile Security, and the Author of “Android
Hacker’s Handbook”. He’s also the founder of the #droidsec research group, an Android-focused
research community.






44 Cyber Warnings E-Magazine – October 2015 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide

   39   40   41   42   43   44   45   46   47   48   49