It was a security hole, or more accurately a cluster of holes, in Android’s core media-handling library, known as libstagefright.
The official name of the buggy library quickly morphed into the media-friendly moniker of the bugs themselves, Stagefright.
In operating system terms, a “library” (usually known as a DLL, or dynamic link library, on Windows, and as a shared library on Unix-like systems) is a sort of sub-program that can be shared between many applications.
Libraries take care of all sorts of useful functions, such as reading and writing files and directories, performing cryptographic operations, and – as here – handling multimedia objects like movies and songs.
Sharing a programming library across many applications saves disk space and memory; it brings consistency in how applications behave; it means that application developers don’t have to keep reinventing the wheel; and it simplifies updating.
Of course, it also often means that a vulnerability in one library file could open up exploitable holes in dozens of applications at the same time, following the “injury to one is an injury to all” principle.
The Stagefright risk
In theory, opening a booby-trapped MP4 (movie) file could have given a cybercrook a way of running unauthorised, untrusted program code on your Android, without so much as an “Are you sure?”
Worse still, the default settings on Android meant that if someone sent you an MMS (a sort of multimedia SMS) that referenced a booby-trapped movie, your phone would probably download and display it automatically.
Early headlines about Stagefright, driven by the PR efforts of Zimperium, the company that found the bugs, talked in brash terms about how 950,000,000 Androids could theoretically be at risk.
Fortunately, the bugs weren’t easy to exploit in practice, with the result that very little harm was done during the time it took for Google to get out patches.
The first wave of Stagefright patches appeared in September 2015, as part of Google’s promised move towards monthly updates – a promise that seems to have been extracted from Google largely because of the Stagefright story.
Zimperium didn’t stop looking after finding its first tranche of libstagefright bugs.
Unfortunately, many programmers are creatures of habit, especially of sloppy habits.
Where you find a coding error that produces an integer overflow, or an unchecked buffer, or a mismanaged memory pointer, you may very well find similar errors nearby.
It’s a bit like spelling errors: once your fingers get used to typing, say, “kernal” instead of “kernel”, you find yourself making the same mistake repeatedly.
→ Google is no stranger to this effect. In 2013, poor error checking in how Android processed APK files (Android Packages – the standard distribution format for apps) resulted in three separately discovered bugs in app verification. All these vulnerabilities caused almost identical security problems: you could feed Android a legitimate, digitally-signed app during verification, but trick the operating system into running malware during execution of the app. Similarly, the programmer who wrote buggy code for Android’s KeyStore library repeatedly forgot to allocate space in his text strings for the extra NUL (zero-byte) character that C needs in every string to denote where it ends.
And Zimperium did, indeed, find yet more vulnerabilities in Android’s media file handing, this time affecting both MP3 (audio) and MP4 (video) files.
The good news is that Google has now patched these “Stagefright 2” bugs, in the official security fixes for October 2015.
The bad news is that even Google’s own devices, such as the Nexus family of phones and tablets, haven’t all actually received their patches yet.
My Nexus 7 from 2012, for instance, has firmware updates that stop at Android Lollipop 5.1.1 LMY47V. [As at 2015-10-06T21:00Z.]
But it seems that you require a build number starting LMY48 to have any Stagefright fixes at all, with LMY48T or later also giving you fixes against the newer “Stagefright 2” holes.
So the Nexus 5, which has fixes up to LMY48M, is probably a bit safer than my Nexus 7, but not as safe as, say, the Nexus 6, which is up to LMY48W.
The bottom line
Android updates, despite Google’s “monthly-at-a-minimum” commitment, still seem to be all over the place.
Making sure you have the latest patches available from your Android vendor or network carrier is easy, because you can check from the Settings page.
But finding out what’s actually fixed in those patches is a lot less obvious, so if you aren’t sure, you’re going to have to ask.
Additionally, as we’ve suggested before, you should probably turn off the auto-download of MMS messages on your Android.
Even without the Stagefright bugs – and, anyway, who knows but that we might yet see Stagefright 3? – it’s a bad idea to allow an outsider to force untrusted remote content to load on your phone simply by sending you a message.
That’s sounds a bit too much like email attachments that get opened up whether you want them or not, so they’re ready as soon as you read the mail.
OUR STAGEFRIGHT AND STAGEFRIGHT 2 TIPS
• Get patched ASAP. If you’re not sure, ask your vendor or carrier.
• Make sure third-party apps that can play media files are up-to-date.
• Avoid downloading media files “just to take a look.”
• Avoid clicking through to websites “just to take a look.”
• Don’t accept MMS messages from unknown senders.
• Turn off the “automatically download MMS messages” option.