May 25, 2019 | Updated: 09:45 AM EDT

Joshua Drake, The Researcher Who Discovered The Stagefright Vulnerability, Releases The Code Out Into The Wild

Sep 11, 2015 02:07 AM EDT


Since Joshua Drake of Zimperium Labs exposed the Stagefright Android vulnerability in April 2015, Android and the OEMs have been working on patches for the flaw. In spite of the efforts to mitigate the vulnerability, he never released the exact exploit code that may help other researchers to trace how to create patches for the loophole. The goal was to keep the code from falling into malevolent coders’ hands. This week, however, Joshua Drake finally released the code into the wild, which may have both good and bad consequences.

Releasing the Stagefright exploit code may allow companies and individuals to be able to check if their systems are vulnerable to actual exploits of the Stagefright code. However, since it’s out in the wild and could fall into hackers’ hands, there’s no telling whether the move is a good thing or could lead to massively dire consequences.

It’s a risk that Drake took, in order to allow the developer community to create their own solutions for the Android security loophole. This way, the patches won’t need to be dependent on whether the OEM’s, carriers, and vendors roll out these solutions. Another issue would be if these patches are actually effective in securing particular systems. Having the code out in the open would allow organizations to tailor-fit the solutions to their infrastructure.

To help cushion the impact of the exposition of the security flaw, Google released statements to indicate that Androids actually have a technology called “address space layout randomization” (ASLR). This means that applications’ processes work in sections of memory that are randomly-selected, which makes it more difficult for a hacker to actually get into an Android to make use of the Stagefright exploit. Google claimed that 9 out of 10 Androids have this. But Zimperium Labs pointed out that the exploit can go around ASLR protections, both via MMS and browser. Thus, there is no denying that patches are needed.

Patches have already been rolled out since last month, though making the code available for devs to work on additional measures is still helpful to the Android developer community, the Open Source community, and ultimately, the end-user.

The release of the Stagefright exploit code is definitely a two-pronged, double-edged move. However, if it aids developers to use the code for good, it is definitely worth the risk of letting it fall into the hands of the rogue coders.


Read more on the Stagefright loophole saga on Droid Report:

Time To Quit MMS? “Stagefright” Code Leaves Devices Vulnerable To Malware And Hacking:

Frightened Of The Stagefright Vulnerability? Companies Are Rolling Out Patches:

Real Time Analytics