Stagefright Is Back to Render over a Billion Android Devices Vulnerable

A new batch of Stagefright bugs that grants attackers the means to execute malicious code that leaves over a billion Android devices vulnerable has been discovered in recent versions of the Android operating system by researchers.

Security firm Zimperium has found two new vulnerabilities, dubbed Stagefright 2.0 that performs an exploit when processing media files. The media files are “specifically crafted” MP3 audio or MP4 video files, according to a new blog post by Zimperium zLabs.

Zimperium also discovered the first batch of Stagefright vulnerabilities that left over 950 million Android vulnerabilities to the possibility of a remote hijack. Similar to the first round of Stagefright, the second batch containing two bugs grants attackers the means to take control of a compromised device. Furthermore, an attacker can also gain access to a targeted phone’s data, camera, microphone and photos.

Stagefright 2.0

The vulnerability exists in the way metadata is processed within the files. Quite simply, even merely previewing the song or video will trigger the exploit, according to security researchers.

The two bugs that result in Stagefright 2.0 are:

  • CVE-2015-6602 found in the ‘libutils’ library that exists within every version of Android starting from 1.0.
  • The second exists in devices running Android version 5.0 (Lollipop) in libstagefright, a code library that is used to process media files within Android.

Related article: Simple Android Hack Leaves 95% Devices Vulnerable

Zimperium also added that the likely attack point for the newest batch of the Stagefright vulnerability is via the web browser. More specifically:

  • A URL redirecting to a malicious website that is controlled by an attacker through spear-phishing campaigns.
  • Man-in-the-middle (MITM) attacks on unencrypted network traffic.
  • Instant messengers, media players and other third party applications that share the same vulnerable library.

The security adds that they notified the Android Security Team at Google of this issue 45 days ago on August 15. Google is expected to release a fix for the vulnerability in a patch during the upcoming monthly security bulletin for Google’s Nexus devices that is scheduled in the second week of October.

While Nexus phones are certain to get the patch soon after Google releases it, users of other Android phones from different OEMs can expect the patch to take longer.