Android users, beware of new Stagefright attacks
MANILA, Philippines – Mobile security research firm Zimperium zLabs on Thursday, October 1, discovered a new pair of vulnerabilities affecting Android devices, calling the new vulnerabilities Stagefright 2.0.
While the original Stagefright vulnerabilities discovered by Zimperium back in July related to attack codes hidden inside multimedia texts, the two vulnerabilities in Stagefright 2.0 "manifest when processing specially crafted MP3 audio or MP4 video files."
Attempts to preview specially-made song or video files would execute the exploits, allowing an attacker to successfully execute remote code.
Whereas one of the exploits –assigned a Common Vulnerabilites and Exposures (CVE) number of CVE-2015-6602 – reportedly affects Android devices from 1.0 above, the second, unnumbered vulnerability affects devices running 5.0 and above.
This second vulnerability may also affect third-party applications due to the issue being found within the libstagefright library used by some media players.
Zimperium informed Google of the two vulnerabilities on August 15, and a fix is supposed to come in the next Nexus Security Bulletin scheduled for next week. Phone manufacturers, however, will need to patch consumers' phones accordingly through an update.
In a Motherboard report, Zuk Avraham, Zimperium zLabs' founder and Chief Technology Officer, said that 1.4 billion people are likely affected by the vulnerabilities, explaining, "I cannot tell you that all of the phones are vulnerable, but most of them are."
Joshua J. Drake, the researcher who discovered Stagefright and Stagefright 2.0, told Motherboard by email that "All Android devices without the yet-to-be-released patch contain this latent issue."
Google's latest Android operating system, Marshmallow, will reportedly carry the fix for the issue, though older devices that cannot be updated to Android Marshmallow may end up being stuck with vulnerabilities inside them. – Rappler.com
Android phone image from Shutterstock