The vulnerability is particularly worrisome because a user could fall victim without doing anything at all – the bug triggers just by looking at it. Because the software framework is used for processing all types of media content, handsets can even be infected by landing on a website with embedded video content.
The Zimperium researchers found similar multimedia processing flaws earlier this year in an Android library called Stagefright that could have been exploited by simply sending Android devices a maliciously crafted MMS message. The bug enters the device and executes a code for installing malware, lifting personal data, or gaining access to messages and photos via a file vulnerability. This new version of the bug will let the hacker download the bug in any Android device running on Lollipop 5.1 and below. After Google’s announcement, major manufacturers including Samsung and LG also committed to monthly patching. This time the bug, dubbed Stagefright 2.0, gets an upgrade for the worse.
The Zimperium researchers refer to the new attack as Stagefright 2.0 and believe that it affects over 1 billion devices.
Vulnerabilities associated with the Stagefright library have been cropping up since April, and Zimperium said that more are likely to be discovered in the future as more security researchers begin to focus on the problem. Known as Stagefright 2.0, this exploit manifests itself when processing specially crafted MP3 or MP4 files and is prevalent in every Android device since the first version.
But it wasn’t until last week that Zimperium reported that they had found a new way to exploit the vulnerability.
ZImperium Labs says that Google was notified of the vulnerabilities on 15 August and responded quickly to address the issues and plan to fix them in the next update to Google’s own Nexus phones and subsequently other Android phones. It shared patches for them with OEM partners on September 10, together with all fixes that will be included in the October security update.
As with the previous vulnerabilities it discovered in the Stagefright library, Zimperium said that it alerted Google about the flaw several months ago. The only silver lining to the continuing Stagefright problems is that the crisis has pushed vendors to release security updates more frequently.