Previous Story
Every Android device is vulnerable to newly discovered bugs
When combined, the flaws allow attackers to used booby-trapped audio or video files to execute malicious code on phones running Android 5.0 or later.
Stagefright 2.0, as Zimperium is calling it, impacts pretty much every Android device running any version of Android – which was released back in 2008.
Google, based in Mountain View, California, tries to set a good Android example with prompt security updates to its Nexus family of devices, including the new Nexus 6P and Nexus 5X announced this week that will carry Marshmallow to market. Those vulnerable Android phones could be exploited without needing any interaction on your part. “Issues including the ones Zimperium reported, will be patched in the October Monthly Security Update for Android rolling out Monday, October 5th.”
Over a billion Android customers are at risk from a new version of the Stagefright vulnerability that makes it possible for hackers to take over a victim’s phone by directing them to a specially crafted MP3 or MP4 file, according to new research. However, Google is yet to provide a CVE tracking number for the second vulnerability. It is likely to be fixed in an update last week.
Man-in-the-middle attackers who are in a position to intercept users’ Internet connections, for instance on open wireless networks or through compromised routers, could inject the exploit directly into their unencrypted Web traffic.
Android users are under attack again.
“As more and more researchers have explored various vulnerabilities that exist within the Stagefright library and associated libraries, we expect to see more vulnerabilities in the same area”, the Zimperium researchers said in their report.
At this time Zimperium is not releasing a proof of concept until Google has rolled out fixes for the libutils and libstagefright libraries.
Even as the Android Stagefright vulnerability is in the process of being patched for millions of Android users, Joshua Drake has dropped another Android bombshell.
Speaking to Motherboard, Drake states that all Android devices starting from Android 1.0 to the current version of the OS are affected by these vulnerabilities, as the patch to fix it has not yet been made available. SMS apps like Textra have recently updated to add Stagefright protection as a feature.
