V3.co.uk

Stagefright 2.0 Android flaw leaves a billion users open to attack

Latest malware bypasses Google patches to attack web browsers

Stagefright Android
Stagefright 2.0 Android flaw could leave up to one billion users open to attack
0 Comments

Two new Stagefright vulnerabilities have been uncovered in Google's Android software which potentially leave up to one billion users at risk, according to security researchers at Zimperium Labs.

Stagefright 2.0 can allow hackers to remotely compromise mobile and tablet devices running Android and is triggered by specially crafted MP3 audio or MP4 video files.

The first new vulnerability, found in the ‘libutils' library and assigned CVE 2015-6602, affects every Android version since 1.0, released in 2008.

However, the researchers also discovered that a second security flaw in ‘libstagefright', a library used by Android to process media files, affects all devices running version 5.0 and up.

Zimperium explained that the attack style has changed since the first iteration of Stagefright. "The vulnerability lies in the processing of metadata within the files, so merely previewing the song or video would trigger the issue," the team said.

"Since the primary attack vector of MMS has been removed in newer versions of Google's Hangouts and Messenger apps, the likely attack vector would be via the web browser."

The researchers warned that the flaw can also allow hackers to launch man-in-the-middle attacks and intercept communications on a network.

Google told V3: "As announced in August, Android is using a monthly security update process. Issues, including the ones Zimperium reported, will be patched in the October Monthly Security Update for Android rolling out 5 October and will be posted about on our blogs."

The original Stagefright was fully disclosed in August by Joshua J. Drake, vice president of research at Zimperium, and affected up to 950 million devices.

Following the discovery, Google, Samsung and LG started rolling out patches in an attempt to fix the Stagefright flaw.

Mark James, IT specialist at security firm ESET, explained that the new variant of Stagefright contains some key differences.

"The first version of Stagefright required some information, namely your mobile number, to be able to send the text message to your device," he said.

"This new version does not need to know any of your information to be successful; merely visiting the website and previewing the malicious file could trigger the use of the vulnerability.

"There are so many methods used these days for infecting the unsuspecting end user that you must think twice before clicking that link. We all know there is nothing for free in this world. Everything comes at a cost and your private data is worth a lot more than a free music or video file."

V3 Latest