As if the existing news about Stagefright wasn’t bad enough, it looks as if there’s further vulnerabilities that have been found that allow malicious attackers to execute code on more than one billion Android devices, including those running quite old and very new versions of the operating system.
Stagefright 2.0, as it is being dubbed, is a set of two bugs triggered by causing Android to process specially designed MP3 audio or MP4 video files. The first flaw has been acknowledged by Google, as CVE-2015-6602, and exists in a library known as libutils and goes back to Android 1.0. The same vulnerability can be triggered in newer Android devices by exploiting the libstagefright library; this latter vulnerability still has not been acknowledged formally by Google.
Combined, these flaws allow attackers to use a specially made audio or video file to execute code on phones running Android, both new and old. In their announcement posted earlier today, Zimperium researchers noted:
The vulnerability lies in the processing of metadata within the files, so merely previewing the song or video would trigger the issue. Since the primary attack vector of MMS has been removed in newer versions of Google’s Hangouts and Messenger apps, the likely attack vector would be via the Web browser.
- An attacker would try to convince an unsuspecting user to visit a URL pointing at an attacker controlled Web site (e.g., mobile spear-phishing or malicious ad campaign)
- An attacker on the same network could inject the exploit using common traffic interception techniques (MITM) to unencrypted network traffic destined for the browser.
- 3rd party apps (Media Players, Instant Messengers, etc.) that are using the vulnerable library.
This isn’t good news for Google, or for Android, with many devices likely to remain vulnerable and unpatched, due to the way Android software updates are released.
We’ve written about Stagefright extensively before (see Duncan’s excellent explanatory piece from August), including steps you can take to mitigate the risk, but without software updates, it cannot be entirely eliminated. Though this sounds bad, it’s important to remember one thing — a good number of things need to line up very precisely for these exploits to be used maliciously, and (to this writer’s knowledge, at least) successful attacks outside the research lab haven’t been reported.
To check whether your phone is vulnerable, the best bet is Zimperium’s Stagefright Detector, available for free on the Play Store.
If your device is vulnerable, keep an eye on news from your handset manufacturer for updates which might patch the vulnerabilities. As we hear from manufacturers about fixes, we’ll let you guys know.
More of the Android core needs to be moved to the play store (like the webview and Google Play Services)
Not good news, but there may be a silver lining here. This sort of threat will surely force some change in the Android ecosystem, the end result will be more timely security updates. Unfortunately though, I think any change in the short term will only benefit owners of recently released flagship devices. I can’t see any OEM providing updates to 2 year old phones.