In late-July, Stagefright took the spotlight as a major security concern for an incredible amount of Android devices out in the wild. While patches have been released by the major manufacturers, it looks like the horror isn’t over just yet.
As a refresher, Stagefright is a way that malicious individuals can gain media or system permission access on an Android-based device simply by sending a video to the device in an MMS. The attack was straightforward, made worse by many messaging apps, including Google’s own Hangouts, automatically processing videos received, which immediately left millions of devices vulnerable to the attack.
As a result of Stagefright, companies stepped up their own security updates. On August 5 of this year, Google confirmed that it would be sending out monthly security-focused updates to its Nexus-branded lineup, and on the same day Samsung confirmed the same trajectory for its own security updates. LG, too, would promise monthly security updates only a couple of days later.
Unfortunately, as first reported by VICE, the issue is not over.
According to security researcher Joshua Drake, who initially found Stagefright in the first place, there’s a pair of new bugs to be worried about, and he’s calling it ‘Stagefright 2.0.” With this second version of the attack, the attackers can actually instigate the first Stagefright bug on “any” Android device.
With Stagefright 2.0, the attack comes from the tricking of an Android user to visit a website where a malicious media file is waiting. That’s either stored in an MP3 or MP4 format. According to estimates from researchers at Zimperium zLabs, over 950 million Android users are susceptible to this attack. Going further, the company’s founder, Zuk Avraham, says that upwards of 1.4 billion users are affected by Stagefright 2.0.
According to Drake, who put it bluntly in an email with VICE, “All Android devices without the yet-to-be-released patch contain this latent issue.”
The MP3 or MP4 file simply has to be previewed on an Android device to infect that device. Or, worse, according to Drake if the attacker is on the same Wi-Fi network, like at a coffee shop, then that person simply has to intercept the planned victim’s unencrypted network traffic. By doing this, the attacker doesn’t need the victim to click on anything.
As it stands, Zimperium zLabs isn’t releasing the full technical details of this exploit just yet.
As it stands, Google shared the details of the exploit to its partners on September 10, and it plans on releasing a patch to fix the vulnerability on October 5.