Just when you thought we were over the last Stagefright vulnerabilities, Zimperium Mobile Security has discovered two new vulnerabilities that can be used to install an exploit on your Android device, allowing an attacker to execute remote code.
“Stagefright 2.0,” as Zimperium is calling it, impacts pretty much every Android device running any version of Android – which was released back in 2008. The first vulnerability is located in the libutils library, while the second which targets devices running Android 5.0 and up is located in the libstagefright library. Both vulnerabilities are delivered in specially crafted MP3 audio or MP4 video files.
Google has already fixed the libutils issue, and is due to push out the fix in next week’s Android security update. The second vulnerability has yet to be assigned a CVE (Common Vulnerabilities and Exposures) number by Google. As the vulnerability is contained within the metadata within the audio or video file, simply previewing a song or video will trigger the exploit. Apps like Google’s Hangouts and Messenger are safe, but attackers may use other common methods to target user devices:
- An attacker would try to convince an unsuspecting user to visit a URL pointing at an attacker controlled Web site (e.g., mobile spear-phishing or malicious ad campaign)
- An attacker on the same network could inject the exploit using common traffic interception techniques (MITM) to unencrypted network traffic destined for the browser.
- 3rd party apps (Media Players, Instant Messengers, etc.) that are using the vulnerable library.
At this time Zimperium is not releasing a proof of concept until Google has rolled out fixes for the libutils and libstagefright libraries. While Google has a patch rolling out, companies like Samsung, HTC, Sony, Lenovo, LG, and Huawei will have to incorporate the code and push out their own updates, while Motorola said they will address these bugs with their upcoming Android M upgrades and maintenance releases for older devices.
What do you think about these recent exploits aimed at attacking Android users? Let us know in the comments below, or on Google+, Twitter, or Facebook.Source: Zimperium Source: Motherboard