The number of vulnerabilities found in Android’s Stagefright just grew, and this time devices from as far back as Android 1.0 are vulnerable to attack. This first vulnerability, affecting almost every Android device, is in “libutils” — and that’s just one of the vulnerabilities recently discovered by Zimperium. Another vulnerability was found in libstagefright that makes Android devices running software versions later than 5.0 vulnerable as well…
As shared by Zimperium Mobile Security:
Meet Stagefright 2.0, a set of two vulnerabilities that manifest when processing specially crafted MP3 audio or MP4 video files. The first vulnerability (in libutils) impacts almost every Android device since version 1.0 released in 2008. We found methods to trigger that vulnerability in devices running version 5.0 and up using the second vulnerability (in libstagefright). Google assigned CVE-2015-6602 to vulnerability in libutils. We plan to share CVE information for the second vulnerability as soon as it is available.
This is definitely going to be just a bunch of confusing technical jibber-jabber to most, but it’s really pretty simple: There are a couple of vulnerabilities that appear when Android processes the metadata of certain MP3 and MP4 files. Thankfully, Google has fixed MMS vulnerabilities in their newest versions, and attackers have to go with something a little more complex this time. Zimperium suggests that the web browser is the most likely medium of attack now.
While you probably shouldn’t panic, the Android phone you own — which you might be reading this article on, in fact — is certainly vulnerable. The original Stagefright vulnerabiltiy, however, was part of many factors that pushed Google to step in and start doing monthly security updates for Android. If you have a Nexus device, you’ll probably get the update to fix this bug first, while owners of other Android phones will be down the line.
Google hasn’t actually recognized this vulnerability yet, and definitely hasn’t announced plans to fix it, but it’s almost certainly in the pipeline. That’s why they’re doing these monthly security updates (and giving those running Marshmallow a date that their device is secure to), right? Google pushed the last one on September 8th, so I assume that they’re getting read to push another in the next week or so. Whether or not it includes fixes for “Stagefright 2.0” is still to be seen.