During the recovery days of Stagefright 1 we are being hit with the harsh realities of the latest rounds of Stagefright 2.0, an even scarier vulnerability plaguing over ONE BILLION devices running Android.
More than one billion devices are open to hackers once again, thanks two newly disclosed Android vulnerabilities.
Stagefright is back, and worse this time, as the vulnerability allows potential attackers to hack Android smartphones just by tricking the victim to visit a website that contains either a maliciously crafted MP3 or MP4 file.
Back in July, Joshua Drake, a security researcher at Zimperium revealed the first Stagefright bug that allowed anyone to hijack Android smartphones with a simple text message. Since Drake’s disclosure Google has issued patches for Stagefright 1, but the Android community is still in the recovery days of such a dangerous vulnerability.
Both of the recently disclosed vulnerabilities (CVE-2015-6602 and CVE-2015-3876) also reside in the Android Media Playback Engine called Stagefright, and affects all Android OS versions from 5.1.1 all the way down to 1.0. Devices running 5.0 or earlier can be similarly exploited using another vulnerable function inside libutils, a specific condition that can depend on what third-party apps are installed and what functions came preloaded on the phone.
According to researchers, merely previewing the maliciously crafted files can execute the Stagefright 2.0 exploit, allowing hackers to run whatever remote code they desire on the victim’s Android device.
In a blog post published Thursday, Zimperium researchers wrote:
“The vulnerability lies in the processing of metadata within the files, so merely previewing the song or video would trigger the issue. Since the primary attack vector of MMS has been removed in newer versions of Google’s Hangouts and Messenger apps, the likely attack vector would be via the Web browser.
- “An attacker would try to convince an unsuspecting user to visit a URL pointing at an attacker controlled Web site (e.g., mobile spear-phishing or malicious ad campaign)
- “An attacker on the same network could inject the exploit using common traffic interception techniques (MITM) to unencrypted network traffic destined for the browser.
- “3rd party apps (Media Players, Instant Messengers, etc.) that are using the vulnerable library.”
“Additionally, the attacker gains a foothold, from which they could conduct further local privilege escalation attacks and take complete control of the device,” Zimperium researchers explained.
Google is scheduled to release their monthly Android Security Update on October 5th, which the company stated will contain patches for a barrage of vulnerabilities including the latest Stagefright 2.0 bugs.
Due to the severity of the vulnerability, Google has already shared the flaw with OEM partners on September 10th, so you may also be receiving Android patches from your vendor in the next coming days if your not a Nexus owner.
Zimperium reported Stagefright 2.0 to Google on August 15. The firm also plans to disclose the technical details and proof-of-concept code once a successful patch is issued.