How a song threatens a billion Android devices

Zimperium lab researchers have been working on finding flaws, bugs and security vulnerabilites in Android for the past few months.

Stagefright 2.0, as Zimperium is calling it, impacts pretty much every Android device running any version of Android – which was released back in 2008. The gap is basically that a hacker can remote execute code by having your device process a malicious MP3 or MP4 file.

Drake expects further vulnerabilities will be found in Android’s Stagefright media handling library – and its associated libraries – as researchers tear into the operating system component. Zimperium zLabs initially discovered this class of vulnerabilities in April, but has now found the problem is broader than originally thought. This way, the file is ready for usage right after the user opens and the hacking could occur without the user even knowing about it.

Users could be duped into visiting URLs that activate Android’s preview function, or perhaps more worryingly, the fault could be exploited if a hacker and victim were on the same public Wi-Fi network such as a coffee shop.

These 2 new flaws have been named Stagefright 2.0, since they seem to work in a similar fashion to the original vulnerability. “We found methods to trigger that vulnerability in devices running version 5.0 and up using the second vulnerability (in libstagefright)”, wrote Drake in a blog post.

Joshua Drake, a researcher at Zimperium zLabs, told Motherboard:”All Android devices without the yet-to-be-released patch contain this latent issue”. They assigned CVE-2015-6602 to the libutils issue but have yet to provide us with a CVE number to track the second issue. Files could be distributed online and would be capable of infecting devices if the user visited a webpage where the file is embedded. Google, in their part, have responded quickly and a fix should be available soon in an update. Google released three patches for that bug and while that’s done and dusted it has been discovered that there’s yet another way the Stagefright bug can be used to pump malicious code into an unsuspecting device.

The bugs are due to be patched in Google’s monthly security update for October for its Nexus smartphones.

Google acknowledged the bug and seeded the patch to manufacturers and carriers.