The Android vulnerability known as Stagefright is back in the limelight.
Stagefright is a bug, or more accurately a series of similar bugs, in an Android programming library called libstagefright.
Aug 12, 2015 Android has a massive security bug in a component known as 'Stagefright.' Just receiving a malicious MMS message could result in your phone being compromised. It's surprising we haven't seen a worm spreading from phone to phone like worms did in the early Windows XP days — all the ingredients are here. The exploit itself can be used to deliver malware, but if it does, you ought to be able to find that malware with an Android anti-virus. (Ours is free; see the 'free tools' links below.). The Stagefright bug was discovered by Joshua Drake from the Zimperium security firm, and was publicly announced for the first time on July 27, 2015. Prior to the announcement, Drake reported the bug to Google in April 2015, which incorporated a related bugfix into its internal source code repositories two days after the report. Tony Hsieh, iconic Las Vegas entrepreneur, dies at 46. Virus numbers could be erratic post-Thanksgiving. Harmless symptom was actually lung cancer.
Libstagefright is part of the operating system that handles media files such as movies.
If you receive an MMS (Multimedia Messaging Service) message that links to a video, or watch a clip embedded in a web page, or download a video for later, your Android will probably load up and use the libstagefright software to play the file.
Researchers at Zimperium found a number of memory corruption bugs in the libstagefright code, and prepared a paper for the recent Black Hat conference to talk about them.
Presentations at Black Hat that deal with vulnerabilities in widespread devices often get a lot of publicity before the event, and with Zimperium claiming that some 950,000,000 Androids might be at risk, Stagefright got more publicity that most.
Eventually, Zimperium didn't release any actual exploits at Black Hat, giving the Android ecosystem a bit more time to get its patches tested and shipped.
Public exploit code
But that was a month ago, and the company has now decided to wait no longer.
Zimperium has published a Python program that generates booby-trapped .MP4 movie files, apparently to help you test whether your device is patched.
The bad news is that the 'test' program doesn't merely prove that you have an exploitable Android, for example by popping up the Android calculator program without asking.
(Running CALC.EXE is a standard proof-of-concept in the Windows world.)
The test program produces a movie file exploit that calls home to an internet address you specify when you create the file, and gives you a command shell on the victim's Android device.
→ This sort of exploit is known as a 'reverse shell' – reverse because the attacked computer connects to you, rather than you logging in to it; shell because that's the Unix-flavoured name for a command prompt.
So, as much as Zimperium's Python script is a proof-of-concept, it's also, strictly speaking, a Remote Access Trojan creation kit. (Sophos Anti-Virus detects them as Exp/20151538-A.)
The good news is that the exploit seems, at best, to be device specific.
At any rate, the blog article says that:
This exploit has several caveats. First, it is not a generic exploit. We only tested it to work on a single device model. We tested this exploit on a Nexus running Android 4.0.4. Also, due to variances in heap layout, this is not a 100% reliable exploit by itself. We were able achieve 100% reliability when delivered through an attack vector that allowed multiple attempts. Finally, this vulnerability was one of several that was neutered by GCC 5.0's ‘new[]' integer overflow mitigation present on Android 5.0 and later.
As we explained in a recent article about booby-trapped files (in that article we dealt with a Word-based attack rather than a movie-based one), modern exploits often rely on two tricks.
One is known as a spray, where the attacker knows he can crash your device, but is only able to aim control at a general area of memory.
So he pads out his attack code, or repeats it over and over, in the hope that when it is loaded by Word, or by libstagefright, or whatever, it's a big enough target in a suitable place.
Padding or repeating your attack code is known as spraying memory, for obvious reasons.
But operating systems, both by accident and by design, don't always allocate memory in a repeatable or predictable way.
The memory available for allocation to a program is known as the heap, and the heap layout will typically vary between different devices, between different versions of the operating system, and even between reboots.
As Zimperium points out, this greatly diminishes the chance that its proof-of-concept exploits will work in the real world without modification.
The second trick needed by many exploits, including Stagefright, is ROP, or Return Oriented Programming.
Phast cracked. Thanks to DEP, or Data Execution Prevention, an attacker can't blindly jump to exploit code he has sprayed onto the heap: it's labelled as data, so trying to run it will fail and the exploit will be prevented.
So, the attacker needs to identify code fragments that are already in executable memory, and string them together as a precursor to his attack.
He then creates a list of the addresses at which these fragments are located, and jumps to them in turn.
→ On Intel processors, this 'jumping' is usually done by an instruction called RET, short for short for return from subroutine, which is how Return Oriented Programming gets its name.
But recent versions of Android, along with every other modern operating system, has a feature called ASLR, or Address Space Layout Randomisation.
ASLR does what its name suggests: it loads the components of your program at a different place in memory every time.
Actually, for performance reasons, the locations typically change only when you reboot, but it nevertheless makes every user's memory layout different.
ASLR is a great defensive tool against ROP, because it means that the list of code fragment addresses found by an attacker are often valid only on the attacker's own test device.
When you send your exploit out into the real world, you may find that instead of making a series of pre-programmed turns that just happen to lead onto the freeway, you end up crashed into a hedge or stuck in a ditch.
What's the risk?
How To Get Rid Of Stagefright Virus Protection
ASLR and the vagaries of the heap notwithstanding, the vulnerabilities found by Zimperium are real.
Even exploited inexpertly, they could be used by malcontents to crash important programs on your device.
A denial-of-service attack is generally less of an issue that outright remote code execution, but it can still cause serious problems, especially if the attacker repeatedly crashes a program you rely upon to do your job.
And, as the Zimperium proof-of-concept shows, remote code execution due to the Stagefright bugs is technically possible, no matter that it's unlikely.
There's also the thorny problem that many Androids are configured to download and display MMS messages by default.
In other words, someone you don't know can attack you via Stagefright without having to talk you into visiting his website or downloading his booby-trapped file.
He can simply send you one or more MMSes that link to booby-trapped movie files, and your phone will process them in the background.
And one way around ASLR and heap variation is to try the same attack over and over again, adjusting the addresses that you wire into your exploit every time.
That doesn't guarantee success, but it certainly improves the chances that your attack may just happen to line up with the memory layout on the victim's computer.
What to do?
• Get patched as soon as your vendor or carrier provides an update. If you're not sure, ask.
• Make sure third-party apps that can play videos (e.g. Firefox) are up-to-date, too.
• Avoid downloading media files 'just to take a look.'
• Avoid clicking through to websites 'just to take a look.'
• Don't accept MMS messages from unknown senders.
• Turn off the 'automatically download MMS messages' option.
To learn how to how to turn off auto-retrieval of MMSes, please see our earlier article about Stagefright.
💡 Make your Android safe against unwanted MMSes ►
Whether you're a student presenting his first project, a teacher standing in front of your new class or just someone preparing to speak in front of a large audience. You must be familiar with stage fright, dreading it, and what comes with it.
From butterflies in your belly to panic attacks, the severity of symptoms vary from one person to another but the one thing in common is the fact that you can control it.
What is stage fright?
Stage fright is a feeling of anxiety and distress you get before a public speech or an important event that holds a lot of people. It could arise suddenly or gradually, though it often appears during the time adding up to the performance. It could have mild or severe symptoms, emotional or physical reactions.
The emotional ones start with your racing thoughts such as: what if I'm not good enough? What if I forget what to say next? What if they laugh at me?…
And there you have it , that's where your anxiety starts and your physical reaction kicks in, your lips might start to tremble, your hands and knees might begin to shake, your heart rate increases, and at times you might even suffer from nausea/vomitting.
You may be wondering and asking yourself right now: 'I know all of this, I've been through it. But how can I overcome it? How can I stop myself from reaching this fearful state? '.
Well, to answer you, we first have to tackle the causes of such anxiety.
Causes of stage fright
The fear of public speaking, also called glossophobia, is common within stage fright. Which makes the latter a phobia itself.
But this shouldn't worry you or make you feel out of the ordinary, many people happen to struggle with this phobia.
Most of the time it all goes back to your confidence or lack of it to be more accurate, you don't think you're good enough for the job; moreover, you expect perfection but you fear rejection and judgment. Other times, it could just be the fact that you didn't come prepared; and nothing undermines public speaking confidence like being unprepared.
If you haven't memorized your lines, or had insufficient practice then all you're left with is a feeling of distress and in this case you have no one to blame but yourself.
If we know what we're dealing with, and what triggers it then we might have a better chance at treating it before it worsens and escalates.
Many people suffer in silence because of stage fright, the ultimate result of this silence is them dropping out of school or leaving whatever job they have; all in fear of speaking up again in front of people or the further embarrassment of telling others about the phobia they're dealing with, but we can prevent all of that from happening. How?
Well, this is where my article comes along, this is where I help you to overcome your anxiety and conquor your fears. Here's what you need to do:
How to get rid of stage fright
1. Accept yourself
You have to believe in your abilities, no matter how clichè this sounds, trust your will and put it in your head that you have nothing to prove to others.
Don't try to hide the fact that u're afraid, just accept it, deal with it, and hold your head up high.
Trusting yourself by coming prepared is a good start but it's not enough, especially if you're always between the on and off in struggling with stage fright.
You must also deal with whatever negative perceptions, images, or predictions you have that are related to public speaking or performing.
2. Learn helpful skills
How To Get Rid Of Stagefright Virus Removal
Practice ways that can help you keep calm, relax your mind and body. Use techniques such as deep breathing (diaphragmatic or 'belly' breathing), relaxation exercises (hypnosis and biofeedback), yoga, and also meditation.
Pay attention to how you stand, sit, gesture, and move when you're in a comfortable environment. Then recreate that natural movement within a larger group.
3. Engage a healthy life style
Exercise regularly, eat and sleep well. Try to limit caffeine, sugar and alcohol, they'll only make you even more nervous; drink juice, and make sure to take sips of water during your speech to prevent your mouth from drying.
Try to make new friends, step out of your comfort zone, and start a new hobby. This will help with your self-esteem and hopefully prevent any future stage frights.
4. Practice again and again
Memorize your speech by heart if you have to, repeat and repeat until it's encrypted in your head. Stand in front of the mirror and practice, record yourself and observe the tape later on, or use the help of a friend as an audience; this will help you master your performance, stop the stammering and those 'Hums' and 'Ahhs' you're constantly struggling with.
Overall, you'll be more confident and assured that you won't forget a word on your big day.
5. Join speaking groups
If you're having trouble with your confidence, speaking groups can help you tremendously throughout constructive criticism, offering tips and tricks that will help you develop your speaking skills; furthermore, teaching you how to make a connection with your audience.
Some of these groups include: Toastmasters,TED-style-Talks, goskills, Public speaking project.
6. Try therapy
There is nothing wrong with seeking help. If none of the above works you should consider getting the help of a mental health professional.
Most of the time it all goes back to your confidence or lack of it to be more accurate, you don't think you're good enough for the job; moreover, you expect perfection but you fear rejection and judgment. Other times, it could just be the fact that you didn't come prepared; and nothing undermines public speaking confidence like being unprepared.
If you haven't memorized your lines, or had insufficient practice then all you're left with is a feeling of distress and in this case you have no one to blame but yourself.
If we know what we're dealing with, and what triggers it then we might have a better chance at treating it before it worsens and escalates.
Many people suffer in silence because of stage fright, the ultimate result of this silence is them dropping out of school or leaving whatever job they have; all in fear of speaking up again in front of people or the further embarrassment of telling others about the phobia they're dealing with, but we can prevent all of that from happening. How?
Well, this is where my article comes along, this is where I help you to overcome your anxiety and conquor your fears. Here's what you need to do:
How to get rid of stage fright
1. Accept yourself
You have to believe in your abilities, no matter how clichè this sounds, trust your will and put it in your head that you have nothing to prove to others.
Don't try to hide the fact that u're afraid, just accept it, deal with it, and hold your head up high.
Trusting yourself by coming prepared is a good start but it's not enough, especially if you're always between the on and off in struggling with stage fright.
You must also deal with whatever negative perceptions, images, or predictions you have that are related to public speaking or performing.
2. Learn helpful skills
How To Get Rid Of Stagefright Virus Removal
Practice ways that can help you keep calm, relax your mind and body. Use techniques such as deep breathing (diaphragmatic or 'belly' breathing), relaxation exercises (hypnosis and biofeedback), yoga, and also meditation.
Pay attention to how you stand, sit, gesture, and move when you're in a comfortable environment. Then recreate that natural movement within a larger group.
3. Engage a healthy life style
Exercise regularly, eat and sleep well. Try to limit caffeine, sugar and alcohol, they'll only make you even more nervous; drink juice, and make sure to take sips of water during your speech to prevent your mouth from drying.
Try to make new friends, step out of your comfort zone, and start a new hobby. This will help with your self-esteem and hopefully prevent any future stage frights.
4. Practice again and again
Memorize your speech by heart if you have to, repeat and repeat until it's encrypted in your head. Stand in front of the mirror and practice, record yourself and observe the tape later on, or use the help of a friend as an audience; this will help you master your performance, stop the stammering and those 'Hums' and 'Ahhs' you're constantly struggling with.
Overall, you'll be more confident and assured that you won't forget a word on your big day.
5. Join speaking groups
If you're having trouble with your confidence, speaking groups can help you tremendously throughout constructive criticism, offering tips and tricks that will help you develop your speaking skills; furthermore, teaching you how to make a connection with your audience.
Some of these groups include: Toastmasters,TED-style-Talks, goskills, Public speaking project.
6. Try therapy
There is nothing wrong with seeking help. If none of the above works you should consider getting the help of a mental health professional.
By using cognitive behavioral therapy the therapist will help you change your distraught thoughts into more rational, optimistic ones. Medication may also be prescribed to help you control your fear.
Conclusion
In the end, just stop scaring yourself with thoughts about what might go wrong, forget about your past failures, learn to improvise, and stop comparing yourself to others.
Instead, focus your attention and your fear towards what is really important, which is contributing something of value to your audience. In short, give it your best shot and stop trying to be perfect. Be natural. Be yourself.
