Security researchers warn of Stagefright 2.0 for all Android devices

5 Oct 2015

Not long after Google patched the Stagefright bug that targeted a phone’s multimedia messaging function, a new vulnerability has been found and is being dubbed, unsurprisingly, Stagefright 2.0.

The Stagefright 2.0 bug was found by Zimperium Security, the same team that found the original Stagefright, while its researchers were looking for similar vulnerabilities that led to MMS being affected.

Sure enough, the team has found two vulnerabilities that affect both the processing of MP3 and MP4 files that allow for remote attacks against Android phones.

The first vulnerability in MP3 file processing, dubbed ‘in libutilis’, affects the most versions of Android – going back to 2008’s Android 1.0 – while the MP4 vulnerability called ‘libstagefright’ affects Android 5.0 and later.

According to Zimperium Labs, the actual vulnerability lies within the processing of metadata in the files which is triggered when doing so much as previewing the MP3 or MP4 file.

However, due to the fixing of the original Stagefright vulnerability, the most likely place where either Stagefright 2.0 vulnerability will enter the phone will be through a browser or third-party apps.

Easier to spread than Stagefright

The code could then be activated either by clicking a link or it could inject the exploit using common traffic interception techniques (man-in-the-middle) to unencrypted network traffic destined for the browser.

More importantly, however, this second iteration of Stagefright requires less information for the attacker compared to the previous one whereby they needed to have access to the victim’s phone number to send the Stagefright-infected MMS.

Zimperium Labs says that Google was notified of the vulnerabilities on 15 August and responded quickly to address the issue. Google reportedly plans to fix them in the next update to its own Nexus phones and, subsequently, other Android phones.

Speaking of what lies in store now for Stagefright and its later iterations, Zimperium Labs say that it is likely that more might be found.

“As more and more researchers have explored various vulnerabilities that exist within the Stagefright library and associated libraries, we expect to see more vulnerabilities in the same area. Many researchers in the community have said Google has replied to their reported bugs saying that they were duplicate or already discovered internally,” Zimperium Labs said.

Android-powered HTC phone image via Shutterstock0

Colm Gorey was a senior journalist with Silicon Republic

editorial@siliconrepublic.com