Back in July, a new exploit called Stagefright was found to affect all devices on Android 2.2 and up. Since then, Google and Android device makers have been working to patch that vulnerability, but now it looks like a new version of the security flaw has been discovered.
Zimperium, the security group that found the original Stagefright exploit, now reports that there are two “Stagefright 2.0” vulnerabilities that can be run by special MP3 audio or MP4 video files. It’s said that at least one of these new vulnerabilities can affect Android devices all the way back to version 1.0, with methods to trigger that vulnerability found all the way up to Android 5.0.
This new vulnerability can be run simply by previewing the malicious MP3 or MP4 file. Zimperium says that the most likely way that an attack would be run is using the web browser, like by getting a user to visit a specific URL. However, it’s said that the malicious code could also be sent to a user by a hacker injecting the exploit into unencrypted network traffic if both the hacker and user are on the same wireless network.
Zimperium says that it contacted Google about these new vulnerabilities on August 15 and that the Android Security Team promptly responded. A fix is expected to be included in the upcoming Nexus Security Bulletin, which should be pushed to Nexus devices next week, the week of October 5.
Like the original Stagefright bug, this sounds like a nasty exploit that could affect a lot of devices. The good news is that it’s a bit harder for this new exploit to be run on your device, because the way that it’s most likely to be sent to you is via a URL, you can avoid it by not clicking on links from sources that you don’t know. And thanks to Google’s new Nexus Security Bulletin, it won’t be long before Nexus devices get a patch. Here’s to hoping that other device makers aren’t far behind.