Stagefright 2.0: Security Flaw in Android Puts 1 Billion Devices at Risk

The risk of remote hacking is triggered through the faults in the media processing components that may be misused by malicious websites.

Experts have identified some major flaws in the way media files are handled by Android which may eventually trap its users by automatically visiting malicious sites.

A report by Zimperium (a cyber-security company) says, “Meet Stagefright 2.0, a set of two vulnerabilities that manifest when processing specially crafted MP3 audio or MP4 video files.”

In this same report by Zimperium, it is stated that on almost every device that runs Android (tablet, smartphones, etc.), these flaws may enable a remote code execution regardless of the version of Android (from 1.0 to 5.1.1).

Earlier this year, in an Android library, called Stagefright, the researchers of Zimperium found similar multimedia processing faults that could’ve been misused by merely transferring a malicious MMS message to Android devices.

Zimperium also found one of the flaws that are located in a core Android library called libutils. This brings unauthorized changes to almost every device running Android versions older than 5.0. ) By merging it with another bug found in the Stagefright library, this flaw can be further exploited in Android Lollipop.

The Zimperium researchers mention this recent attack as Stagefright 2.0 and believe that it affects more than 1 billion devices.

Experts are reported to have said that this remote hacking risk lies “in the processing of metadata within the files,” so you can just ‘catch the bug’ when you are loading a video or playing a song.

Hackers could deceive users by making them visit websites that take advantage of the vulnerability via email links and SMS/chats or through malicious ads displayed on genuine websites.

On open Wi-Fi, connected routers or through other means, hackers who are able to intercept the Internet connections of users could inject the exploit directly into their unencrypted Web traffic.

“Since the primary attack vector of MMS has been removed in newer versions of Google’s Hangouts and Messenger apps, the likely attack vector would be via the Web browser. An attacker would try to convince an unsuspecting user to visit a URL pointing at an attacker-controlled Web site,” says Zimperium.

Android OS has become the most vulnerable of all platforms

On August 15, Zimperium described the faults to Google while planning to release proof-of-concept exploit code as soon as a fix is released by Google.

A Google representative informed that the fix would be officially released on October 5 as a section of the new scheduled monthly Android security update.


Google tracked and shared patches for the vulnerabilities (CVE-2015-3876 and CVE-2015-6602) with OEM partners on September 10. Also, all fixes that will be incorporated in the October security update are also shared with them.

Stagefright flaws that occurred earlier drove researchers to further investigate Android’s multimedia processing libraries to look for other vulnerabilities. Since then, a lot of bugs and issues have found regarding these components by researchers of Trend Micro (Antivirus vendor).

A report by Zimperium researchers says:

“As more and more researchers have explored various vulnerabilities that exist within the Stagefright library and associated libraries, we expect to see more vulnerabilities in the same area. Many researchers in the community have said Google replied to bugs they reported saying they were duplicate or already discovered internally.”

This is not the first time when a vulnerability has been discovered in Google’s Android. There are frequent discoveries of flaws in Android OS like the one in July; Zimperium unveiled a bug that could hack users’ devices by just sending a text message (SMS). And in August, FireEye Inc. (a cyber-security company) reported that fingerprint sensors on Android devices are prone to hacking. In a hacker conference, the company told that users’ information relating to biometric authentication is compromised including fingerprint data.


Related Posts