'Stagefright 2.0' bug menaces over a billion Android devices

Researchers have discovered a second set of serious vulnerabilities in Google's Android mobile operating system, leaving over a billion new and old devices open to attack.

Dubbed Stagefright 2.0, the newly discovered vulnerabilities stem from two flaws in how Android handles audio and video files.

It was found by Joshua Drake of security vendor Zimperium, who also discovered the original Stagefright vulnerability affecting just under a billion Android devices in July this year. 

The first Stagefright flaw in the Android media processing software library allowed attackers to send a specially crafted multimedia messaging service (MMS) missive which, when received in Google's Hangouts and Messenger apps, would allow attackers to run arbitrary code on victims devices without user interaction.

Stagefright 2.0 has been given the common vulnerabilities and exploits moniker CVE-2015-6602 and can be triggered by specially crafted MP3 and MP4 media files, and again allows remote code execution, Drake said. 

Even devices that have been patched against the original Stagefright bug are vulnerable to version 2.0, including Android 5.0 and later. Older devices could also be vulnerable if the flawed function in the libutils tools is used by third party apps, or vendor/carrier-added preloaded features.

Drake and Zimperium said because the vulnerability drives from the way Android processes metadata within in the audio and video files, previewing them would trigger potentially malicious code.

Devices that have had the MMS attack vector for Stagefright closed off can be compromised through spear-phishing or malicious advertising campaigns that lure victims to websites with booby trapped MP3 and MP4 files.

Miscreants on the same network as victims could also attempt man in the middle attacks, injecting the exploit into unencrypted traffic destined for victims' browsers.

Third-party media players and instant messaging apps using the vulnerable media processing library could also be used as attack vectors, Zimperium noted.

No proof of concept will be shared for Stagefright 2.0, Zimperium said.

Drake expects further vulnerabilities will be found in Android's Stagefright media handling library - and its associated libraries - as researchers tear into the operating system component.