New Stagefright 2.0 Bugs – 1.4 Billion Android Users at Risk


A security researcher revealed in July how Android devices could be hacked with a simple text, thanks to a few bugs in the Android operating system. The flaw, commonly known as Stagefright, was termed as one the biggest exploits ever discovered in the operating system and pushed manufacturers promise to deliver security updates once a month. While Google is trying to further drive its partners to roll out timely updates, two new Stagefright bugs have appeared today.

Stagefright 2.0 vulnerability affects all Android versions:

Joshua Drake, a security researcher at Zimperium responsible for Stagefright discovery, has now disclosed two new bugs that can allow hackers to break into an Android device by tricking a user into visiting a website that contains malicious multimedia files, mp3 or mp4. The researcher claims that the malicious code will be executed by merely previewing an affected song or video file, allowing hackers to run remote codes on the victim's device.

Since these two bugs are also found in the same Android media playback engine called Stagefright, the vulnerability is being termed as Stagefright 2.0. The Stagefright 2.0 vulnerability can be triggered by a webpage, man-in-the-middle attack, third-party media player, instant messaging apps, ad campaigns, etc. Zimperium also explains that once "the attacker gains a foothold, from which they could conduct further local privilege escalation attacks and take complete control of the device."

Zimperium explains how the attack can be triggered:

The vulnerability lies in the processing of metadata within the files, so merely previewing the song or video would trigger the issue. Since the primary attack vector of MMS has been removed in newer versions of Google’s Hangouts and Messenger apps, the likely attack vector would be via the Web browser.

  1. An attacker would try to convince an unsuspecting user to visit a URL pointing at an attacker controlled Web site (e.g., mobile spear-phishing or malicious ad campaign)
  2. An attacker on the same network could inject the exploit using common traffic interception techniques (MITM) to unencrypted network traffic destined for the browser.
  3. 3rd party apps (Media Players, Instant Messengers, etc.) that are using the vulnerable library.

More than 1 billion Android devices are vulnerable to this exploit as the newly discovered vulnerabilities (CVE-2015-6602 and CVE-2015-3876) affect all the Android versions, including the Android 5.1.1 Lollipop. The research team found that while the one vulnerability affects "almost every Android device" including the very first version of the OS, the second exploit allows hackers to trigger the first, reports Motherboard. Researchers estimate that at least 950 million Android users are vulnerable to these Stagefright 2.0 bugs with company's Chief Technology Officer putting the estimate to 1.4 billion Android users.

Google will roll out the patch to Nexus devices on October 5 as the security firm shared the vulnerability report with Google on August 15. Additionally, Google has also shared the patches with its OEM partners, which means other devices will also get the patch soon. Zimperium promises to release the proof-of-concept video once the exploit fix is released.