The Android Stagefright vulnerability falls into the category of a traditional buffer-overflow exploit. Buffer-overflow exploits have long been a staple used by bad actors to attack every kind of computing device. They've undergone much study by university and commercial security researchers, and many different defenses have been formulated.
A posting on stackexchange.com describes the Android Stagefright problem:
"[i]t appears that certain fields in 3GPP video metadata are vulnerable to buffer overflow attacks. In short, a 3GPP video can be given a string of metadata that, at first, exceeds a certain length, and in the end includes machine code that lands in memory that is off-limits to the application."
Typically, a buffer-overflow exploit writes data to memory until it overflows into a memory location used to execute code. In this case, this buffer-overflow occurs when a video contaminated with malicious code is received by the default Android MMS and Hangout messaging apps. By default, the video is downloaded automatically on arrival. The exploit is named after the Stagefright media framework that was introduced in Android 2.2 that supports local file playback and HTTP progressive streaming.
Google's early warning system
Google monitors for potentially harmful apps on all the Android devices and on the Google Play Store as an early warning of malicious exploits in the Android ecosystem in much the same way that the Center for Disease Control (CDC) monitors disease outbreaks.
At the heart of Google's early warning system is Verify Apps, a module that checks app installs for malware and runs hundreds of millions of virus-like scans every day searching for code and app behaviors that could potentially be malicious. This lets Google (like the CDC) respond proportionately to threats.
Drake reported that malicious code infecting videos automatically downloaded by the Messenger app could be executed. Google's Ludwig pointed out in a post to his Google+ page that just because malicious code can be covertly written to memory and executed doesn't mean that it can cause harm, due to the many defenses modern operating systems have against buffer-overflow exploits such as ASLR.
Despite these defenses, and Google's report that an exploit of the vulnerability had not been detected on any consumer smartphones, doesn't reduce its seriousness; Ludwig told NPR that he ranked its severity to be "high" on the Google security team's hierarchy precipitating this morning's announcement.
Does Android bring inherent risks?
The exploit does underscore a disadvantage of Android's open source strategy. The open source approach succeeded in broad proliferation of Android creating a large and diverse ecosystem of hardware makers. Just in Time (JIT) compilation and the Android Runtime (ART) make it possible for Android and all the apps to run on many different hardware designs without the involvement of Google's Android development team.
Sign up for Computerworld eNewsletters.