Zimperium security confirmed that the vulnerability lies in the processing of metadata within the files, so merely previewing the song or video would trigger the issue.
Advertisement
A MASSIVE security flaw described as the “worst Android vulnerability in the mobile OS history” is back and 950 million Android smartphones and tablets are at risk.
One of the flaws newly discovered by Zimperium is located in a core Android library called libutils and affects almost all devices running Android versions older than 5.0 (Lollipop).
However, the security research firm that first discovered the flaw said it has now found a second wave of bugs.
The big difference between Stagefright 2.0 and the original vulnerability is the minimal amount of user information an attacker needs to gain access to your phone.
Vulnerabilities associated with the Stagefright library have been cropping up since April, and Zimperium said that more are likely to be discovered in the future as more security researchers begin to focus on the problem.
Google and the big telecommunications and smartphone companies like Samsung, HTC, LG and Sony have already been informed about this bug and the danger it brings to smartphone users.
The Android Stagefright 2.0 bug has now been patched, after its initial discovery this July.
Attackers could trick users into visiting websites that exploit the flaw through links in email and instant messages or through malicious advertisements displayed on legitimate websites.
Zimperium held off releasing proof-of-concept exploit code but will allow a few of its partners to see it later this month, it said.
Just recently, according to Motherboard, a spokesperson from Google said that the patch will be delivered to its Nexus Phone users in October 5 and is now working on with manufacturers and carriers ith high hopes that it will roll out the update the soonest possible time.
Google tracks the vulnerabilities as CVE-2015-3876 and CVE-2015-6602. Researchers from antivirus vendor Trend Micro have since found and reported multiple issues in these components.
Advertisement
Since the primary attack vector of MMS has been removed in newer versions of Google’s Hangouts and Messenger apps, the likely attack vector would be via the Web browser, Zimperium said. Once the patch is generally available, the company said it would update its Stagefright Detector app to detect the vulnerabilities.
