It looks like Stagefright strikes again.
The security bug that preyed upon phones running versions of Android OS between 2.2 and 4, has now reared its head to attack devices running Android 5.0 and above.
Joshua J. Drake, Zimperium zLabs vice president of research, has found another security issue in Android called Stagefright 2.0. Drake claims there are two vulnerabilities that can happen when processing specially crafted MP3 audio and MP4 video files.
Apparently, within MP3 and MP4 files is a function that allows remote code execution (RCE). This basically means that infected MP3 and MP4 files can give someone access to run a task on your Android phone. Even simply previewing a malicious song or video can put your phone at risk.
Drake says in his blog post that the most vulnerable approach to an Android phone is through a Web browser, with three different ways a hacker might take advantage of the security bug.
First, an attacker could try to get an Android user to visit a URL that will really lead to an attacker controlled website. This could be done in the form of an ad campaign, for example. Once lured in, the victim would be exposed to the infected MP3 or MP4 file.
Along the same lines, an attacker could use a third-party app, like a media player. In this case, it’s the app that would contain one of these malicious files.
But there is a third possibility where a hacker could take a different route.
Say, the hacker and Android user are using the same WiFi. The hacker then wouldn’t need to trick the user into visiting a URL or opening a third-party app. Instead, all they would have to do is inject the exploit into the user’s unencrypted network traffic used by the browser.
The original Stagefright bug — which was also discovered by Drake earlier this year — opened Android phones to the vulnerability through text messages containing malware.
If a hacker knew your phone number, a text message could be sent containing a malicious multimedia file. The text could then allow a hacker access to a user’s data and photos, or even give access to functions like the phone’s camera or microphone.
Users could be affected and not even know it.
A patch was released for the original Stagefright bug not too long after the vulnerability was discovered. There have been however a few issues with the patch. Some reports have indicated the patch can cause phones to crash in some cases when a multimedia message is opened.
Drake says he has notified Android of the threat and stated Android moved quickly to remediate, though they have yet to provide a CVE number to track this latest issue. Google is including a fix for Stagefright in the Nexus Security Bulletin coming out this week.
If you are unsure if your Android device is vulnerable, you can download the Zimperium Inc. Stagefright Detector app to check for vulnerabilities.