Skip to content
This site uses cookies. By continuing to browse, you agree to the use of cookies. You can change your settings or learn more here.
OK
Image: Wally Santana/Associated Press

More than a billion Android devices are vulnerable to second Stagefright bug

This time, an attack can happen just by previewing a song or video on your phone.
Oct 2nd 2015, 8:53 AM 10,710 7

MORE THAN A BILLION Android devices are at risk from a flaw that can infect devices when they preview an audio or video file.

Mobile security company Zimperium Labs discovered two new vulnerabilities that could put these devices at risk. Called Stagefright 2.0, an attacker can use a specially-created MP3 or MP4 file to access an Android device’s code to track or take information or make changes remotely.

The same company discovered the original Stagefright bug and announced it back in July. That bug could see Android devices infected just by sending a text message to Google Hangouts or Messenger apps.

The issue lies with Android’s preview function, which processes the metadata within the files, and since Google Hangout and Messenger have been updated, the attack would be carried out through a web browser.

The vulnerability lies in the processing of metadata within the files, so merely previewing the song or video would trigger the issue. Since the primary attack vector of MMS has been removed in newer versions of Google’s Hangouts and Messenger apps, the likely attack vector would be via the Web browser.

The first vulnerability, found in the libutils code library, impacts almost every Android device as far back as 2008 while the second (libstagefright which is used to process media files) only affects those running Android version 5.0 and above.

However, there have been no examples where the flaws were exploited in public, and the details of said exploits have been kept private to prevent anyone from discovering it.

Zimperium Labs notified the Android Security Team of the issue back in August and an update has been shared with manufacturers. However, a fix for the second vulnerability hasn’t been provided yet.

While it is worrying that such flaws and vulnerabilities exist, the best way to keep yourself safe is to apply common sense when using your phone.

Always use approved apps, keep away from any sites or services that may look shady and don’t download content from unknown sources (for unapproved apps, you can check this by going into Settings > Security and making sure ‘unknown sources’ is turned off).

Read: Meet the man who managed to buy Google.com from Google >

Read: Use Tinder? There’s a big change on the way >

Send a tip to the author

Quinton O'Reilly

COMMENTS (7)

    Back to top