Zimperium zLabs has released to the public a working exploit that shows how the Stagefright vulnerabilities can allow remote code execution (RCE) without user interaction.
Zimperium said in a written statement that it was making the code available to the general public “so that security teams, administrators, and penetration testers alike may test whether or not systems remain vulnerable.”
The company originally reported in July that it had found 10 critical vulnerabilities that could be exploited via an MMS message with a specially crafted media attachment. It was estimated that 95 percent, or 950 million, Android devices were vulnerable. Updates have been issued prior to the code being released.
“Google released new versions of Hangouts and Messenger to block automatic processing of multimedia files arriving via MMS. We’ve tested these updated versions and are happy to confirm they prevent unassisted remote exploitation,” Zimperium said, adding that there are still other vectors present that must be fixed.