We’ve heard a lot about Stagefright, the collective name for the critical vulnerabilities which makes an estimated 950 million Android devices open to attacks was found earlier this year. Now two new security bugs have been discovered which affects even more Android devices. This is what we know about Stagefright 2.0.
According to Zimperium, the security firm that discovered the original Stagefright bugs, the two new vulnerabilities gives attackers the ability to use specifically crafted MP3 audio or MP4 video files to deliver and execute malicious code on almost every Android device from version 1.0 and above. The code could be executed remotely in some cases and users would be none the wiser.
While there is no known attacks that exploit the Stagefright vulnerabilities just yet, Zimperium has run tests to successfully demonstrate these security flaws. For these malicious audio or video files, even just previewing the files could trigger the payload. For man in the middle (MITM) attacks, users could be lured to a website created just to inject the exploit without their knowledge.
Zimperium has already shared the exploit code for the first lot of Stagefright vulnerabilities but has yet to do so for Stagefright 2.0. The problem is Google is still working on patches to fix all of these flaws so Android users should take precautions to protect themselves against potential attacks.
Exercising vigilance when surfing the web should be second nature everybody and it’s especially important now for Android device owners given the Stagefright issues. If you want to take that extra step to stay secure, enable two-factor authentication on any service or app that you use on your Android device and only connect onto networks that you trust.
[Via Zimperium Blog]