Over a billion Android devices vulnerable to latest Stagefright bug

The attack exploits a vulnerability in MP3 and MP4 video files, which once opened can remotely execute code. This could include installing malware, capturing data for identity fraud or accessing photos and messages. Because of the nature of the vulnerability, users would be unable to tell if their device had been affected, reports Wired.

The first Stagefright bug left devices vulnerable to exploitation, with videos sent via MMS used as an avenue of attack. As many messaging apps process video automatically, users could be targetted without even knowing it. And it is feared that Stagefright 2.0 could be similarly dangerous.

Stagefright 2.0 uses similar avenues to exploit the vulnerability, this time using MP3 audio or MP4 video files. Once opened, these malicious files can trigger a remote code execution (RCE), giving hackers the ability to remotely execute tasks on a device. This can include installing malware, mining data for identity fraud or accessing photos, media players or messengers. Because of the nature of the vulnerability, users would be unable to tell if their device had been affected.

Google released a patch for the original Stagefright attack, but even users who downloaded it are at risk from Stagefright 2.0.

“The first vulnerability impacts almost every Android device since version 1.0 released in 2008. We found methods to trigger that vulnerability in devices running version 5.0 and up using the second vulnerability,” said security firm Zimperium in a report.

“A vulnerability in mediaserver could allow an attacker during media file and data processing of a specially crafted file to cause memory corruption and potentially remote code execution as the media server process,” Google wrote in a Nexus Security Bulletin.

“This issue is rated as a Critical severity due to the possibility of remote code execution as the privileged mediaserver service. The mediaserver service has access to audio and video streams as well as access to privileges that third party apps cannot normally access”.