Reports from several security researchers claim more than a billion users could be affected by the newly discovered Stagefright security flaws in Android devices. The two vulnerabilities, which leave Android users open to attacks, have been dubbed as "Stagefright 2.0" by mobile security company Zimperium zlabs.
Joshua Drake, the company's VIP of research, reports that an attack on the mobile OS can be triggered by simply previewing an affected song or video as the vulnerability itself lies within the metadata. Processing MP3 or MP4 files could lead to arbitrary code execution. He claims that as apps have now been updated to remove the MMS vector available in their previous versions, this time the carrier could be the device's web browser.
According to the researcher, this could be done in the following ways:
- An attacker would try to convince an unsuspecting user to visit a URL pointing at an attacker controlled Web site (e.g., mobile spear-phishing or malicious ad campaign).
- An attacker on the same network could inject the exploit using common traffic interception techniques (MITM) to unencrypted network traffic destined for the browser.
- 3rd party apps (Media Players, Instant Messengers, etc.) that are using the vulnerable library.
Speaking to Motherboard, Drake states that all Android devices starting from Android 1.0 to the current version of the OS are affected by these vulnerabilities, as the patch to fix it has not yet been made available. Zimperium zLabs' founder and chief technology officer claims that, "I cannot tell you that all of the phones are vulnerable, but most of them are."
Given that an estimated 1.4 billion Android users may be affected, the company has reported vulnerabilities to Google's Android Security Team who has assigned it a CVE-2015-6602 to track one of the issue. However, Google is yet to provide a CVE tracking number for the second vulnerability. The company has been testing a patch privately with various manufacturers to fix the problem and will reportedly roll out a patch for its Nexus devices on October 5.