Google Rebuilt a Core Part of Android to Kill the Stagefright Vulnerability for Good
Last summer, researchers discovered a serious problem at the core of Android. There was a flaw in the way Android handled media, potentially allowing remote code execution before a malicious file had even been opened.
Android’s security team patched the initial bug within weeks, but it inspired a wave of new attacks on the way Android processes audio and video files. The first copycat bugs were reported just days after the first patch, with more serious exploits arriving months later. The most recent Android patch report, released today, patches three separate vulnerabilities in Android’s media-processing function, including one critical flaw that could be used for remote code execution.
A chance to rebuild the playback system from the ground up
Now, Android is rebuilding that system from the ground up. When Android 7.0 Nougat began rolling out to phones last month, it came with a rebuilt media playback system, specifically designed to protect against the Stagefright family of attacks. In a post today, Android’s security team revealed new details on exactly how Nougat security has changed and what the team learned from last year’s string of bugs.
The Stagefright attacks worked by targeting Android’s "mediaserver" system, a core function that apps call on whenever they need to render audio or video. If media is sent over MMS or Hangouts, that can happen before you see a notification, as applications grab data to generate a preview or preload portions of the file.
But there was a flaw in the way the old mediaserver would preload that data. When certain integer variables were large enough, they would overwrite data in other parts of the phone, giving attackers a crucial foothold for breaking out of mediaserver and onto the rest of the phone. By exploiting that overflow, attackers could execute code on an Android phone without waking it up. Android security has made a number of changes since the bug was discovered — most notably, limiting the circumstances under which Hangouts and other MMS applications will preload media — but it’s remained a tempting line of attack for anyone trying to crack an Android phone.
The Nougat update gave Google’s team the chance to rebuild that system from the ground up, tearing out the Stagefright flaws at the root. To start, the team reworked mediaserver to scan for integer overflow attacks up front, preventing the attack that’s at the heart of Stagefright. Nougat also makes it harder to successfully exploit the compromise by adding more entropy to the address randomization system, which some researchers were able to bypass in the wake of Stagefright.
The biggest challenge is still getting updates to your phone
More fundamentally, Nougat shifts mediaserver from a unified block into a series of segmented steps, each with its own process and its own limited permissions. The process that extracts a video buffer is now completely separate from the process that plays that file or the process that formats it to fit inside the app. Hopefully, that fragmentation will make mediaserver a less tempting target without slowing down your video file. "It’s definitely a tricky area," said Adrian Ludwig, head of Android’s security team. "You’re looking for very rapid media playback, but you want to have as robust an environment as you possibly can."
As always, Android’s biggest challenge is getting the latest updates to your phone, a process that requires help from both manufacturers and carriers. Some manufacturers have dropped support for Nougat on phones released as recently as 2014, raising serious concerns about how many Android users will actually benefit from the new protections.
Still, phones that upgrade should see a smoother update process both inside and outside the phone. Nougat’s Direct Boot system lets phones download and partially install updates without any user interaction. At the same time, Ludwig says he’s seen both manufacturers and carriers get much faster at approving and deploying the monthly patches. "One of our goals is to get to a place where updates are just invisible to users," Ludwig says. "That’s important because we want to have lots of updates."