Stagefright 2.0, the long-awaited sequel to August’s devastating Android vulnerability, is here, and this time every device with an Android operating system could be at risk. This new iteration of Stagefright exploits how Android reads MP3 and MP4 files to install malware on the device.
While Stagefright 2.0 definitely affects devices running Android 5.0 Lollipop and above, the Zimperium researchers that discovered the new exploit thinks that older Android operating systems could also “be impacted”.
The vulnerability lies in the processing of metadata within the files, so merely previewing the song or video would trigger the issue. Since the primary attack vector of MMS has been removed in newer versions of Google’s Hangouts and Messenger apps, the likely attack vector would be via the Web browser.
- An attacker would try to convince an unsuspecting user to visit a URL pointing at an attacker controlled Web site (e.g., mobile spear-phishing or malicious ad campaign).
- An attacker on the same network could inject the exploit using common traffic interception techniques (MITM) to unencrypted network traffic destined for the browser.
- 3rd party apps (Media Players, Instant Messengers, etc.) that are using the vulnerable library.
Zimperium has brought the issue to the attention of Google’s Android Security Team, which has assigned it the code CVE-2015-6602 and is working on a solution, scheduled for release next week.
Thank you ZDNet for providing us with this information.
