Stagefright 2.0: A billion Android devices could be compromised

eBook: The DevOps Roadmap for Security - Tips and tools for bridging the security tribe into DevOps. Download →

Most Android users are, once again, in danger of having their devices compromised by simply previewing specially crafted MP3 or MP4 files.

Zimperium researchers, who were the ones who discovered easily exploitable remote code execution flaws in the Stagefright media library earlier this year, are also behind this latest discovery, which the dubbed Stagefright 2.0.

“The first vulnerability (in libutils) impacts almost every Android device since version 1.0 released in 2008. We found methods to trigger that vulnerability in devices running version 5.0 and up using the second vulnerability (in libstagefright),” they explained in a blog post.

“Google assigned CVE-2015-6602 to vulnerability in libutils. We plan to share CVE information for the second vulnerability as soon as it is available.”

It is estimated that currently around one billion of Android devices is affected by the flaw in libutils, but the libstagefright bug is present on around 20 percent of them.

The Stagefright media library is used by Android to process a number of popular media formats.

The vulnerabilities can’t be triggered via MMS (as before), but can be via browser or a third-party app that uses the vulnerable library.

Google has, naturally, been notified of the problem, and they are already working on a patch. In the meantime, Zimperium researchers won’t be releasing PoC code to the public for the foreseeable future, but they will share it with Zimperium Handset Alliance partners.

All this aside, the researchers are sure that this is not the end of vulnerabilities affecting this particular library. “As more and more researchers have explored various vulnerabilities that exist within the Stagefright library and associated libraries, we expect to see more vulnerabilities in the same area,” they noted.

Zimperium customers are protected against attacks exploiting these newly revealed flaws, but the company has promised to update their Stagefright Detector app to detect this vulnerability as soon as Google comes up with a patch (it’s scheduled for release next week).

Let’s hope that some mobile device manufacturers keep their promises when it comes to shipping patches more quickly and on a regular basis.