The relentless stream of security flaws associated with the Stagefright library in the Android operating system shows no sign of stopping. Months after first discovering vulnerabilities in the library, mobile security firm Zimperium said it has just discovered two new bugs that could affect every Android device — more than 1 billion — on the market.
The latest threat, which Zimperium has dubbed Stagefright 2.0, consists of two separate bugs that occur when the Android OS tries to process certain MP3 sound or MP4 video files. “The first vulnerability (in libutils) impacts almost every Android device since version 1.0 released in 2008,” Zimperium said in a statement. “We found methods to trigger that vulnerability in devices running version 5.0 and up using the second vulnerability (in libstagefright).”
Hidden in the Metadata
The flaw could allow an attacker to remotely execute arbitrary, and potentially malicious, code on a device, according to Zimperium. The flaw affecting MP3 files and the one affecting MP4 files both reside in the metadata of those files, which means even previewing a song or video could be enough to infect a device.
Since the primary attack vector of MMS has been removed in newer versions of Google’s Hangouts and Messenger apps, the likely attack vector would be via the Web browser, Zimperium said.
A hacker would likely try to attack a target by convincing the user to visit a URL that takes that user to a Web site controlled by the hacker, such as a mobile spear-phishing site or malicious ad campaign. Another attack vector would be for a hacker on the same network to use a man-in-the-middle attack on unencrypted data traffic bound for the target’s browser. Alternatively, hackers could also exploit the bug through third-party apps that use the library, such as media players or messaging apps.
The Fix Is In
As with the previous vulnerabilities it discovered in the Stagefright library, Zimperium said that it alerted Google about the flaw several months ago. A patch for the bug is expected to be released in a Nexus Security Bulletin next week.
Zimperium said it doesn’t plan to offer a proof-of-concept exploit to the general public until the patch is released, although the company said it would be releasing a proof-of-concept code to members of its Zimperium Handset Alliance partners. Once the patch is generally available, the company said it would update its Stagefright Detector app to detect the vulnerabilities. Vendors should update their Android devices to incorporate fixes as soon as possible, the firm said.
Vulnerabilities associated with the Stagefright library have been cropping up since April, and Zimperium said that more are likely to be discovered in the future as more security researchers begin to focus on the problem. The only silver lining to the continuing Stagefright problems is that the crisis has pushed vendors to release security updates more frequently.
