Stagefright 2.0: How Bug Targets Android Devices
What you need to know about the latest vulnerability.
— -- The second coming of the Stagefright bug is here.
Less than two months after Google patched the vulnerability affecting Android devices, security research firm Zimperium said it has discovered a second vulnerability that it's dubbing Stagefright 2.0.
"Meet Stagefright 2.0, a set of two vulnerabilities that manifest when processing specially crafted MP3 audio or MP4 video files. The first vulnerability (in libutils) impacts almost every Android device since version 1.0 released in 2008. We found methods to trigger that vulnerability in devices running version 5.0 and up using the second vulnerability (in libstagefright," Zimperium researchers wrote in a blog post.
A user can be exploited if they're sent an infected file or are lured to a website where they would then open the malicious audio or video file. The vulnerability is when the metadata -- the underlying, contextual information such as when the file was created -- is processed, meaning simply previewing a song or a video through an infected file could leave users exposed.
Researchers exploited the flaw on devices running Android 5.0 and later, however they said older devices extending as far back as Android 1.0 may be impacted due to third-party apps using the vulnerable library.
Zimperium said Google's Android Security Team was made aware of the issue on Aug. 15, and they "responded quickly and moved to remediate." Zimperium said it will update its "Stagefright Detector" app to identify the flaw as soon as a patch is issued.
"We would like to thank Google for their cooperation for promptly including the fix in the upcoming Nexus Security Bulletin scheduled to be released next week," the blog post said. The firm also said it encouraged vendors "to update their Android devices to incorporate the fix as soon as possible."
Stagefright first crept into the spotlight over the summer when it was revealed as many as 850 million Android phones could be vulnerable to an exploit that allowed hackers to gain control of the device by sending a malware infected picture message.