Pineapple Stagefright Mass Attack (PASMA): A Strategy for Large Scale Android Infiltration

Raised of $4,500 Goal
Ended on 2/03/17
Campaign Ended
  • $0
  • 0%
  • Finished
    on 2/03/17

About This Project

In our fast-paced technological society, nearly everyone is connected to the Internet through Wi-Fi with their mobile devices and computers. Most users likely have known Wi-Fi networks that they have connected to before, and their devices connect automatically to the network when it comes within range. In this project, we aim to demonstrate that this default setting is a severe security risk by developing an attack that exploits the vulnerability in Android devices.

Ask the Scientists

Join The Discussion

What is the context of this research?

Android devices are susceptible to attacks from a vulnerability known as Stagefright. This vulnerability is a conglomerate of software bugs that affect Android Froyo (2.2) and above. They allow attackers to gain remote access to the devices. The Pineapple Wireless Auditing Platform allows someone to intercept Wi-Fi network traffic by forcing users to connect to it instead of the router that was to be used intentionally. This theoretically creates a massive attack vector on Android devices that have the option to automatically connect to Wi-Fi hotspots, which seems to be the case with most people, due to the ability to use man-in-the-middle attacks to replace ad images on websites with images that can inflict on the Stagefright vulnerability.

What is the significance of this project?

It is very important to understand and demonstrate the dangers of having automatic connection to Wi-Fi on Android devices turned on. Not only does this allow devices, such as the Pineapple, to have access to your traffic, but, as in our primary attack example, it allows the possibility to get root access on Android systems if exploited properly. This is due to the stagefright vulnerability still being an active vector for attack, despite numerous attempts at bug fixes within the Android framework.

What are the goals of the project?

Our Pineapple Stagefright Mass Attack (PASMA), uses the Pineapple, wireless auditing platform, to perform man-in-the-middle attacks on stagefright vulnerabilities on Android devices by serving media with malicious content to the mobile device in order to gain control over it.

In particular, our goal is to perform a controlled experiment to deauthenticate users from their current network, forcing them to reconnect to what their devices believe is the same network. However, we will be directing the users traffic to and from their preferred network, allowing us the ability to compromise the confidentiality and integrity of the users traffic. We intend to serve up webpages with stagefright inflicting images. At this point, we will gain root access to the users Android device.


Please wait...

The fund will be used to hire two research assistants (undergrad students) for 3 months to implement the attack as a proof of concept. In addition, some devices will be purchased to test the implementation. Specifically, we need Pineapple, a wireless auditing platform, and one mobile Android-based device.

Endorsed by

I endorse this project. This research might lead to some unidentified security risks. This area should be examined deeply as it is very common practice to save known networks configuration. I hope it will help to reduce risk and cyber crimes.

Meet the Team

Karim Elish
Karim Elish
Assistant Professor


Florida Polytechnic University
View Profile

Team Bio

We are a research team working on cyber security at Florida Polytechnic University. The team consists of Dr. Karim Elish and two students researchers Jason Gutierrez-Pinho and Michael Whitfield. Jason and Michael are both undergrad students studying computer science & IT with a concentration in cyber security at Florida Polytechnic University. They have interest in all areas of technology with emphasis on the security aspects.

Karim Elish

I am an Assistant Professor in the Department of Computer Science at Florida Polytechnic University. I received my PhD and MS in Computer Science from Virginia Tech in 2015 and 2011, respectively. My current research interests focus on software security, Android malware analysis and detection, and software engineering. I have published several papers in peer-reviewed security and software engineering conferences and journals. Also, I am working as a reviewer for numerous conferences and journals, including IEEE Transactions on Dependable and Secure Computing (TDSC), and IEEE Systems Journal.

Lab Notes

Nothing posted yet.

Project Backers

  • 0Backers
  • 0%Funded
  • $0Total Donations
  • $0Average Donation
Please wait...