Stagefright Strikes Again – A Billion Android Devices Are Vulnerable
Researchers have discovered new vulnerabilities inherent in Android and dubbed it Stagefright 2.0, leaving more than a billion Android devices vulnerable to remote code execution by merely previewing music or videos.
Security researchers at Zimperium zLabs have discovered a new variant of the infamous Stagefright vulnerability and have promptly named it Stagefright 2.0. The new vulnerability comprises of two bugs, both of which could directly compromise more than a billion Android devices. In other words, every single Android device currently in use is vulnerable to the exploit.
The complete account of Zimperium zLabs’ findings can be found here.
The first among two vulnerabilities exists in the ‘libutils’ library that would impact every Android device since version 1.0 released in 2008. Researchers at Zimperium discovered that devices running a newer version of Android from 5.0 or Android Lollipop are vulnerable to the second flaw in ‘libstagefright,’ a code library used by Android to process media files.
The vulnerabilities are triggered when specifically crafted MP3 audio files or MP4 video files are accessed. The vulnerability lies within the processing of metadata within the media files. Quite simply, the mere previewing of the infected song or video file could trigger the exploit.
Zimperium researchers believe that the most likely attack vector is through using the Web browser in ways such as:
- Employing a spear-phishing campaign or a malicious ad campaign to get an unsuspecting user to visit a URL redirecting to a malicious website controlled by the attacker.
- Injecting the exploit while on the same network using a man-in-the-middle attack by intercepting common unencrypted traffic.
- 3rd party applications such as instant messengers, file sharing apps with media-playing capabilities and media players that use the same vulnerable library.
Zimperium has also stated that they’ve contacted Google’s Android Security Team to notify them of the new vulnerabilities on August 15. Fixes are expected to be patched through as updates in the Nexus Security Bulletin that is scheduled for release next week.
While Nexus device owners can expect a fix quickly, Android users with devices from other manufacturers are likely to wait for a longer time to get custom firmware or updated ROMs with patches.
Zimperium founder Zuk Avraham points to Google’s previous patch cycle after the first Stagefright vulnerability to note that Android users on KitKat (version 4.4) or 40 percent of total Android users are likely to receive patches, along with 20 percent of users on the newer version of Android Lollipop.
Speaking to the Register, Avraham said:
While we have no specific information about what devices will receive fixes, we believe Android devices running Android KitKat 4.4 and later will receive updates. However, since Android 6 is due to release next week as well, it’s possible that only 5.0 and 6.0 devices will receive updates.
Image from Shutterstock.