Security firm releases source code for Stagefright exploit

The company Zimperium has revealed how one of the vulnerabilities in the Stagefright video engine in Android works. The source code for the exploit allows tools to be built for abuse, but Google is rolling out a patch.

On his blog, security researcher Joshua Drake of Zimperium posted sample code to exploit the Stagefright vulnerability. It concerns the so-called stsc vulnerability to which the identifier CVE-2015-1538 is attached. Zimperium points out that it’s just one of the potential vulnerabilities, collectively known as the Stagefright bug, but it’s one of the most critical flaws. With the released source code, it is possible to build an exploit to exploit the Stagefright vulnerability.

The code that has been released does not necessarily work on all Android devices, according to Drake, but may require some minor adjustments. It is also possible that some smartphones have already been fixed by patches released by Google, so that the exploit no longer works. However, many devices remain vulnerable, making it possible for hackers to use the code to break into users. With the release of the exploit, Drake hopes that developers will learn something from it, including by testing whether their system is still susceptible to the vulnerability.

Drake had previously indicated that he would release the exploit. That had to happen at the Black Hat conference. However, it was then decided to postpone, to give Google more time to fix the vulnerability. The internet giant previously released a patch, but a security company pointed out that it did not provide sufficient protection against the Stagefright bug. The extent to which the Stagefright bug is currently being exploited is unknown.