The Stagefright saga is just not letting up, after first being discovered in July, this so called hack allowed attackers to target Android phones over text or MMS, exploiting a weakness in Android’s multimedia preview function. Google, manufacturers and carriers scrambled to patch the bug, only to have another bug pop up two weeks later, which required a whole another round of patches. And now, three months after the initial mayhem, it’s all happening again putting over 1 billion Android devices at risk.
Zimperium Security has discovered a new exploit in Stagefright that isn’t protected by any current patches dubbed as Stagefright v2.0. Attackers could encode malicious software into an mp3 or mp4 audio file. All the user needs to do is preview the infected file, and the program would theoretically infect the device. What’s worse is that this exploit can be deployed on public WiFi networks or embedded in webpages, so experts are concerned about the possibility of a self-replicating virus or worm. Because some version of the preview function exists in most versions of Android, nearly every Android device is susceptible to the bug, although specific implementations vary from version to version.
To take advantage of these bugs, a hacker can trick a potential victim into opening a website where he has planted a malicious mp3 audio file, or a malicious mp4 video file, or by tricking the victim to open them in a third party application, say a multimedia player, that depends on the vulnerable Android libraries.
“Merely previewing the song or video would trigger the issue,” Joshua Drake, a researcher at Zimperium zLabs, and also author of the Android’s Hacker Handbook posted on a blog post. A more remote possibility is if the hacker is on the same network as the victim (say, they’re both connected to a restaurant’s Wi-Fi). In that case, Drake explained, the hacker can inject the exploit code intercepting the victim’s unencrypted network traffic. In this case, the hacker doesn’t need the victim to click on links or open any files. Zimperium is not releasing the full technical details to exploit these vulnerabilities yet.
A Google spokesperson said that a patch for these new vulnerabilities will be rolled out to users of its Nexus phones on October 5. Google also shared the patch privately to partners on September 10, and is working with manufacturers and carriers “to deliver updates as soon as possible.” Samsung, HTC, Sony, Motorola, Lenovo, LG, and Huawei have been made aware and they will soon be releasing new patches these new Stagefright bugs.
How to Stay Safe
The key to staying safe has everything to do with paying attention to where you’re browsing and what you are connected to. Avoid public networks when you can, rely on two-factor authentication whenever possible, and stay away from websites you think can cause your device harm. Mostly, common sense web stuff for keeping yourself safe.
Stagefright, more than any other bug before it, has truly exposed Android’s faulty update strategy, as far as most manufacturers go they would be needed several weeks, if not months, to patch even the first Stagefright bug let alone the new one.
In the meantime, stay safe and cautious in your actions while previewing and downloading mp3 and mp4 files untill your device manufacturer comes up with the security patch for your specific device.