New ‘Stagefright’ bug menaces over a billion Android devices

The new Stagefright 2.0 vulnerabilities rely on injecting malformed audio and video files in Web traffic, which can be opened via Web browsers, multimedia players and IM applications.

That fix will come on October 5 as part of the new scheduled monthly Android security update, a Google representative said. CVE-2015-6602 refers to a vulnerability in libutils, and as Zimperium points out in their post announcing the discovery of this vulnerability it impacts every Android phone and tablet going back as far as Android 1.0.

Addressing the Stagefright problem, Dong Jin Koh, VP and Head of Mobile Research and Development Office, IT & Mobile Communications at Samsung Electronics, said: ‘With the recent security issues, we have been rethinking the approach to getting security updates to our devices in a more timely manner.

Earlier Drake published details in August about critical Android vulnerabilities in the Stagefright media playback engine, he had promised there would be more issues in Android operating system. The second vulnerability has yet to be assigned a CVE (Common Vulnerabilities and Exposures) number by Google.

Android users are under attack again. More troubling is that an attacker may be able to leverage public Wi-Fi hotspots to infect victims by having them download a file or visit an infected site to infect their phone. Those vulnerable Android phones could be exploited without needing any interaction on your part.

It is also fixing the bug for its own Nexus devices with an update on October 5. While it’s possible someone else could figure this exploit out before Google issues a patch, with the details behind this exploit still being kept private it’s unlikely.

Google is working on fixing the Stagefright exploit in the core code of Android that is distributed to OEMs. If you take a look at the list of devices patched in the last Stagefright exploit, you’ve got a reasonable picture of what hardware is being considered a priority in this process. First discovered in July, the vulnerability allowed attackers to target Android phones over text or MMS, exploiting a weakness in Android’s multimedia preview function.

Zimperium also sent an update to the company’s Zimperium Headset Alliance (ZHA), which includes most major Android manufacturers. Google released three patches for that bug and while that’s done and dusted it has been discovered that there’s yet another way the Stagefright bug can be used to pump malicious code into an unsuspecting device.