Stagefright allowed attackers to remotely execute code on a victim’s phone just by sending them a specially designed text message. It affected billions of devices worldwide, many of which have not been patched months later as it is up to manufacturers to issue Android updates even when Google creates them.
Now, a new incarnation of Stagefright again threatens the billions of Android phones used each day. Security firm Zimperium zLabs, responsible for discovering Stagefright 1.0, found that this time the attack is centred around Android’s multimedia functions and uses malicious MP3 audio or MP4 video files as its primary distribution vector.
It is now easier for hackers to infect devices as the phone no longer needs to receive a text message for the hijack to be successful. Users don’t even need to open the file as the vulnerability lies in MP3 and MP4 metadata processing. An infected MP3 would only need to be previewed in a media player dependant on the vulnerable Android libraries for the attack to be successful.
Files could be distributed online and would be capable of infecting devices if the user visited a webpage where the file is embedded. The attack threatens “almost every” Android device from version 1.0 right up to 5.0. A separate vulnerability would allow hackers to trigger the first method in phones running Android versions newer than 5.0.
Zuk Avraham, founder and CTO of Zimperium zLabs, told Motherboard that as many as 1.4 billion people could be affected by the issue. Zimperium zLabs researcher Joshua Drake told the news site in an email: “All Android devices without the yet-to-be-released patch contain this latent issue.”
Google has acknowledged the existence of “Stagefright 2” and is working on a fix. The patch will roll out to owners of its own Nexus phones on October 5 but customers of other brands may have to wait considerably longer. Although several major brands said they would roll-out future security updates as quickly as possible in the wake of Stagefright 1, it wouldn’t be surprising if many phones never got the patch or waited months for it to be bundled with Android M upgrades.