#Open journalism No news is bad news

Your contributions will help us continue to deliver the stories that are important to you

Support The Journal
Dublin: 8°C Sunday 25 October 2020

More than a billion Android devices are vulnerable to second Stagefright bug

This time, an attack can happen just by previewing a song or video on your phone.

Image: Wally Santana/Associated Press

MORE THAN A BILLION Android devices are at risk from a flaw that can infect devices when they preview an audio or video file.

Mobile security company Zimperium Labs discovered two new vulnerabilities that could put these devices at risk. Called Stagefright 2.0, an attacker can use a specially-created MP3 or MP4 file to access an Android device’s code to track or take information or make changes remotely.

The same company discovered the original Stagefright bug and announced it back in July. That bug could see Android devices infected just by sending a text message to Google Hangouts or Messenger apps.

The issue lies with Android’s preview function, which processes the metadata within the files, and since Google Hangout and Messenger have been updated, the attack would be carried out through a web browser.

The vulnerability lies in the processing of metadata within the files, so merely previewing the song or video would trigger the issue. Since the primary attack vector of MMS has been removed in newer versions of Google’s Hangouts and Messenger apps, the likely attack vector would be via the Web browser.

The first vulnerability, found in the libutils code library, impacts almost every Android device as far back as 2008 while the second (libstagefright which is used to process media files) only affects those running Android version 5.0 and above.

However, there have been no examples where the flaws were exploited in public, and the details of said exploits have been kept private to prevent anyone from discovering it.

Zimperium Labs notified the Android Security Team of the issue back in August and an update has been shared with manufacturers. However, a fix for the second vulnerability hasn’t been provided yet.

While it is worrying that such flaws and vulnerabilities exist, the best way to keep yourself safe is to apply common sense when using your phone.

Always use approved apps, keep away from any sites or services that may look shady and don’t download content from unknown sources (for unapproved apps, you can check this by going into Settings > Security and making sure ‘unknown sources’ is turned off).

Read: Meet the man who managed to buy Google.com from Google >

Read: Use Tinder? There’s a big change on the way >

About the author:

Quinton O'Reilly

Read next: