While Google is still working to get the recently announced Stagefright vulnerability fixed across all of its operating systems, a second Stagefright vulnerability has now been discovered affecting millions of Android devices.
The Stagefright Mark II vulnerability was discovered by Zimperium Lab researches and said that the vulnerability affects Android 5.0 and higher and could be exploited by corrupted MP3 or MP4 files. During the exploitation of this vulnerability, users simply need to browse a web site with the crafted code for their device to be exploited giving hackers full control of their device allowing them to steal your information, spy on you, or install other software to give them access even after you fix the vulnerability.
Stagefright 2.0 exploits libstagefright while Stagefright 1.0 exploited libutils which impacted every Android device since version 1.0. The concern for Stagefright 2.0 should be taken very seriously even thought it impacts only the latest versions of Android, millions are still impacted by it.
How Does Stagefright 2.0 Work?
The vulnerability is within hte metadata that gets stored into files so by viewing or previewing a song or video could trigger the exploitation of the vulnerability. Here’s how it would work according to Zimperium;
- An attacker would try to convince an unsuspecting user to visit a URL pointing at an attacker controlled Web site (e.g., mobile spear-phishing or malicious ad campaign)
- An attacker on the same network could inject the exploit using common traffic interception techniques (MITM) to unencrypted network traffic destined for the browser.
- 3rd party apps (Media Players, Instant Messengers, etc.) that are using the vulnerable library.
Patching Stagefright 2.0 Vulnerability
The Android team was notified of this issue on August 15th and are moving very quickly to address the exploit. Google is expecting a patch to be released on October 5th to address the exploit and all Android users affected are highly advised to patch.
CVE-2015-6602 was created in response to the vulnerability and can be tracked though the National Vulnerability Database.
Stagefright 1/2 Vulnerability Checker
Zimperium has a tool available to analyze your Android device to determine if your device is vulnerable to either Stagefright version 1 or 2. You can download it directly from the Google Play Store.