V3 reports the bug was found by Trend Micro security researchers and has been given the tag of CVE-2015-3842. Hackers are not known to be actively exploiting it in the wild but users are nonetheless urged to update devices, if possible.
Google has already released a fix for core Android but, as always, it is left to the manufacturer’s discretion over when the update should be delivered. Recently, Google, Samsung and LG announced that they would be delivering all security updates so new devices from these companies should get the patch soon.
The vulnerability lies in Android’s Mediaserver component — the same place where the Stagefright flaw that affects 95 percent of all Android devices was discovered last month. The software is responsible for handling media files including photos, music and videos.
An attacker using Stagefright 2 is able to fully control what happens, choosing when to start and stop the attack. They would have access to the same permissions as Mediaserver itself, allowing a hacker to control features such as the camera, microphone and speakers. The attack begins by convincing the user to install a “safe” app without any suspicious permissions, although are there other entry methods available.
Wish Wu, Trend Micro Mobile Threat Response Engineer, explains: “This attack can be fully controlled, which means a malicious app can decide when to start the attack and also when to stop. An attacker would be able to run their code with the same permissions that mediaserver already has as part of its normal routines.”
The vulnerability affects Android versions ranging from 2.3 — released in 2010 — all the way through to this year’s 5.1.1. It follows on from three other issues in Mediaserver found this year that trapped phones in endless reboots, made them completely silent or, in the case of Stagefright 1, could let an attacker install a malicious app by sending a multimedia message (MMS) to a target device.
Trend Micro notified Google of ‘Stagefright 2’ on June 19. On August 1, a patch was released to the Android Open Source Project. Trend Micro revealed the details of the vulnerability on Monday August 17. A further update will be released in September.
