The relentless stream of security flaws associated with the Stagefright library in the Android operating system shows no sign of stopping. The other vulnerability allows the hackers to trigger the first vulnerability even in devices that run 5.0 and above.
The “Stagefright” bug, which infected phones with a media file sent via MMS, was first discovered in April before a number of patches were released to protect handsets against the vulnerability. Known as Stagefright 2.0, this exploit manifests itself when processing specially crafted MP3 or MP4 files and is prevalent in every Android device since the first version.
The flaw affecting MP3 files and the one affecting MP4 files both reside in the metadata of those files, which means even previewing a song or video could be enough to infect a device.
The primary attack vector of MMS has been removed from Google’s Hangouts and Messenger apps as the experts suggest that the attack would most likely come from the web browser.
The code could then be activated either by clicking a link or it could inject the exploit using common traffic interception techniques (MITM) to unencrypted network traffic destined for the browser. This however, was an effectively hypothetical vulnerability as there have been no reports of an “in the wild” attack.
Stagefright, a security loophole found to affect 95% of Android smartphones, was supposed to have been quashed by updates from the likes of Samsung, HTC and Google.
Exploitation of the Stagefright 2.0 bug has been made a little bit more hard, Google pushing fixes for this Android vulnerability, all as part of its monthly security bulletin.
Zimperium held off releasing proof-of-concept exploit code but will allow a few of its partners to see it later this month, it said.
Google was notified about it in August, and the company flagged it as a “critical vulnerability” but no patch has been rolled out so far.
Still, fixing software problems on mobile devices is a disjointed affair and users are dependent on device manufacturers and operators for timely patching. The only silver lining to the continuing Stagefright problems is that the crisis has pushed vendors to release security updates more frequently.