Another month, another massive Android vulnerability that puts hundreds of millions of smartphone users at risk. The vulnerability is being called Stagefright 2.0 because of how many devices it encompasses, which security researchers at Zimperium zLabs claim could be more than a billion. More frightening than the number of people affected is the fact that the vulnerability could allow hackers to take control of your device by having you run an MP3 or MP4 video file on your smartphone, and it’s probably not going to get patched for people running older devices.
A new ‘Stagefright’ vulnerability uncovered by security researchers at Zimperium zLabs could compromise your Android phone just by opening an MP3 file. One of the new exploits reportedly affects every device from version 1.0, which was released in 2008, and the other impacts devices running 5.0 and above. The attack — dubbed Stagefright 2.0 — is related to the processing of metadata within a MP3 or MP4 video file. Previewing a specially crafted song or video would execute the exploit, which would allow an attacker to execute remote code. It also affects third-party apps, as the bug is found within the libstagefright library leveraged by some media players. The exploit has not been spotted in the wild at time of writing. There is no proof-of-concept code for the bug as it is still unpatched, but the company will update its Stagefright detection app once a fix is released. The researchers reported the bug to Google on August 15th, which plans to release a patch in the next Nexus Security Bulletin scheduled for the second week of October.
