Security experts have warned that over one billion Android devices are at serious risk from a new vulnerability dubbed Stagefright 2.0.
The attack exploits a vulnerability in MP3 and MP4 video files, which once opened can remotely execute code. This could include installing malware, capturing data for identity fraud or accessing photos and messages. Because of the nature of the vulnerability, users would be unable to tell if their device had been affected.
The first Stagefright bug left devices vulnerable to exploitation, with videos sent via MMS used as an avenue of attack. As many messaging apps process video automatically, users could be targetted without even knowing it. And it is feared that Stagefright 2.0 could be similarly dangerous.
Stagefright 2.0 uses similar avenues to exploit the vulnerability, this time using MP3 audio or MP4 video files. Once opened, these malicious files can trigger a remote code execution (RCE), giving hackers the ability to remotely execute tasks on a device. This can include installing malware, mining data for identity fraud or accessing photos, media players or messengers. Because of the nature of the vulnerability, users would be unable to tell if their device had been affected.
Google released a patch for the original Stagefright attack, but even users who downloaded it are at risk from Stagefright 2.0.
“The first vulnerability impacts almost every Android device since version 1.0 released in 2008. We found methods to trigger that vulnerability in devices running version 5.0 and up using the second vulnerability,” said security firm Zimperium in a report.
“A vulnerability in mediaserver could allow an attacker during media file and data processing of a specially crafted file to cause memory corruption and potentially remote code execution as the media server process,” Google wrote in a Nexus Security Bulletin.
“This issue is rated as a Critical severity due to the possibility of remote code execution as the privileged mediaserver service. The mediaserver service has access to audio and video streams as well as access to privileges that third party apps cannot normally access”.
The attack is, at this point, still hypothetical, with no users subject to the bug yet. Google said the vulnerability would be fixed in its monthly security update in October, with patches for other phones on the way. Google has provided patches to LG, HTC, Huwai, Sony and Samsung, which the companies are expected to roll out over the next month.
This may not be the end of Android attacks, though — Zimperium predict there are more to come.
“As more and more researchers have explored various vulnerabilities that exist within the Stagefright library and associated libraries, we expect to see more vulnerabilities in the same area”.