Second coming of Stagefright vulnerability discovered by researchers can infect almost every Android smartphone on the planet
A billion Android smartphones and tablets are at risk from a new bug that can infect devices when they preview audio or video files, a team of security experts have warned.
The security flaw carries many of the same features as the text message Stagefright bug that was discovered in July and was seen as the biggest hole in Android security ever reported.
Researchers at Zimperium zLabs, which reported the original bug, have dubbed it Stagefright 2.0, and warned that it can affect “almost every Android device” since version 1 in 2008.
Merely by using Android’s preview function to listen to or watch a specially-created MP3 or MP4 file, hackers could access an Android device’s code and make changes remotely, and in theory could track or steal information.
Users could be duped into visiting URLs that activate Android’s preview function, or perhaps more worryingly, the fault could be exploited if a hacker and victim were on the same public Wi-Fi network such as a coffee shop.
“The vulnerability lies in the processing of metadata within the files, so merely previewing the song or video would trigger the issue,” the researchers wrote.
“Since the primary attack vector of MMS has been removed in newer versions of Google’s Hangouts and Messenger apps, the likely attack vector would be via the Web browser.”
The two vulnerabilities – one which affects almost all Android devices and another that can attack those running Android 5.0 upwards – have been flagged to Google, which said it had shared an update with Android manufacturers.
It is also fixing the bug for its own Nexus devices with an update on October 5. Zimperium urged Android manufacturers to patch the problems as soon as possible.
The original Stagefright bug surfaced in July, and exploited a flaw in Google’s chat apps Hangouts and Messenger when they were sent multimedia video files.
Google rushed to fix the bug, fixing both apps, although some older versions of Android did not receive the updates.