Rule Category

OS-MOBILE -- Snort has detected traffic targeting vulnerabilities in a mobile-based operating system. This does not include browser traffic or other software on the OS, but attacks against the OS itself. (such as?)

Alert Message

OS-MOBILE Google Android libstagefright integer underflow attempt

Rule Explanation

This event is generated when a malicious MPEG-4 file attempts to trigger an integer overflow in Android's libstagefright library. Impact: High Details: Android's Stagefright library is a core library used for playing multimedia formats. It is in this library that an integer overflow vulnerable exists due to the MPEG4Extractor::parseChunk function located in the MPEG4Extractor.cpp failing to properly validate the size of the chunks specified by a MPEG-4 file. Attackers are then able to trigger the vulnerability via a specially crafted MPEG-4 file and achieve arbitrary code execution. Ease of Attack: Simple

What To Look For

Known Usage

No public information

False Positives

No known false positives


Cisco Talos Intelligence Group

MITRE ATT&CK Framework



For reference, see the MITRE ATT&CK vulnerability types here:


Rule Vulnerability

CVE Additional Information

Integer underflow in the MPEG4Extractor::parseChunk function in MPEG4Extractor.cpp in libstagefright in mediaserver in Android before 5.1.1 LMY48M allows remote attackers to execute arbitrary code via crafted MPEG-4 data, aka internal bug 23034759. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-3824.
SeverityHIGH Base Score10.0
Impact Score10.0 Exploit Score10.0
Confidentiality ImpactCOMPLETE Integrity ImpactCOMPLETE
Availability ImpactCOMPLETE Access Vector
AuthenticationNONE Ease of Access