A new vulnerability in Android was found by Zimperium Zlabs called ‘Stagefright 2.0’. The first variant was known to allow anyone to perform a remote code execution without any user interactions, leaving a then estimated 950 million handsets at potential risk.
The newer bug affects the newer and the much older versions of Android operating system.
Stagefright 2.0 is a set of two bugs which can be executed when processing certain MP3 audio or MP4 video files. The first flaw is found in libutils library which is present since the first Android 1.0 OS. The second vulnerability is triggered in devices with Android 5.0 and later.
This attack can be triggered by the following methods:
- An attacker would try to convince an unsuspecting user to visit a URL pointing at an attacker-controlled Web site (e.g., mobile spear-phishing or malicious ad campaign)
- An attacker on the same network could inject the exploit using common traffic interception techniques (MITM) to unencrypted network traffic destined for the browser.
- 3rd party apps (Media Players, Instant Messengers, etc.) that are using the vulnerable library.
The security team informed Google on August 15th. Though they seem to have responded to the first vulnerability, the team didn’t receive any response for the second exploit.
They did provide a Stagefright Detector app the can be downloaded via Google Play.