New Stagefright Bugs Put More than 1 billion Android Devices at Risk

The relentless stream of security flaws associated with the Stagefright library in the Android operating system shows no sign of stopping. Months after first discovering vulnerabilities in the library, mobile security firm Zimperium said it has just discovered two new bugs that could affect every Android device -- more than 1 billion -- on the market.

The latest threat, which Zimperium has dubbed Stagefright 2.0, consists of two separate bugs that occur when the Android OS tries to process certain MP3 sound or MP4 video files. EUThe first vulnerability (in libutils) impacts almost every Android device since version 1.0 released in 2008,EU Zimperium said in a statement. EUWe found methods to trigger that vulnerability in devices running version 5.0 and up using the second vulnerability (in libstagefright).EU

Hidden in the Metadata

The flaw could allow an attacker to remotely execute arbitrary, and potentially malicious, code on a device, according to Zimperium. The flaw affecting MP3 files and the one affecting MP4 files both reside in the metadata of those files, which means even previewing a song or video could be enough to infect a device.

Since the primary attack vector of MMS has been removed in newer versions of GoogleEUs Hangouts and Messenger apps, the likely attack vector would be via the Web browser, Zimperium said.

A hacker would likely try to attack a target by convincing the user to visit a URL that takes that user to a Web site controlled by the hacker, such as a mobile spear-phishing site or malicious ad campaign. Another attack vector would be for a hacker on the same network to use a man-in-the-middle attack on unencrypted data traffic bound for the targetEUs browser. Alternatively, hackers could also exploit the bug through third-party apps that use the library, such as media players or messaging apps.


Comments are closed.