Why Zimperium released Android Stagefright exploit code to public?
In July, the Stagefright security flaw was discovered by Zimperium, which could let hackers take control of the smartphones by sending a simple message or MMS. After getting this jolt, Google and Samsung promised monthly Android security updates, but still some companies have not yet released the security updates. Now, Zimperium released Android Stagefright exploit code to public for testing purposes.
Zimperium released Android Stagefright exploit code to public and said:
“We are pleased to finally make this code available to the general public so that security teams, administrators, and penetration testers alike may test whether or not systems remain vulnerable.”
Zimperium released Android Stagefright exploit code to public, which includes a Python script, generating an MP4 exploiting the ‘stsc’ vulnerability (CVE-2015-1538). It gives the attacker a reverse command shell and they can do anything on the compromised Android device like taking personal pics and listening to the microphone remotely.
The company said in a statement:
“Vendors that took measures to protect themselves are not at risk; most devices, however, still are.”
According to the researchers, the exploit code released by them is not generic and has only been tested to work on Google Nexus running on Android Ice Cream Sandwich 4.0.4. It will definitely not work on devices running Android 5.0 or above. They also said that due to “variances in heap layout,” the exploit is not completely reliable.
Possible reasons:
Till now, only a handful of devices received the security patches and in some cases it didn’t even work. Zimperium released Android Stagefright exploit code to public to encourage Android phone vendors who have not yet released the security updates to work on it. Since the exploit code is available in the wild, the smartphone companies will work faster to provide the security updates in order to protect Android users from further hacks.