New Stagefright 2.0 vulnerability could affect 1.4 billion Android devices with a single song or video
Security research firm Zimperium zLabs has discovered another Stagefright vulnerability that could affect almost all of the 1.4 billion Android devices on the planet. Dubbed as Stagefright 2.0, this new vulnerability could open an attack by previewing an affected song or a video.
Speaking on the issue, Joshua Drake, the company’s VIP of research, says that the vulnerability exists in the metadata of the affected songs or videos. In such a scenario, mere preview of the media could leak to arbitrary code execution, thereby infecting your device. Here’s how this can be done, according to the firm:
- An attacker would try to convince an unsuspecting user to visit a URL pointing at an attacker controlled Web site (e.g., mobile spear-phishing or malicious ad campaign).
- An attacker on the same network could inject the exploit using common traffic interception techniques (MITM) to unencrypted network traffic destined for the browser.
- 3rd party apps (Media Players, Instant Messengers, etc.) that are using the vulnerable library.
At the time of writing this, neither Google nor Zimperium zLabs have a patch ready for the vulnerability. It was reported that the security firm is testing the patch privately and together with Google, it would be rolled out on October 5th. Despite today being the release day of Android 6.0 Marshmallow, the patch hasn’t made its way to any of the Nexus devices as suggested. The Marshmallow update was built/finalized on August 27th, even though the security patches date last to October 1st. Google has yet to assign Stagefright 2.0 a number in its issue tracker, so things don’t look bright just yet.
