Google is still working on getting the Stagefright vulnerability fixed across its operating system, but matters seem to be getting worse for the company’s mobile operating system as researchers who contributed to the discovery of the original Stagefright vulnerability have discovered yet another similar issue within Android that would leave users open to malicious attacks and malware. Google acknowledged the discovery and announced that the first of the patches that should fix Stagefright mark II would be released on October 5.
Zimperium lab researchers have been working on finding flaws, bugs and security vulnerabilites in Android for the past few months. The researchers are credited for part of the Stagefright discovery that was all the rage this Summer, Yesterday, they announced that a new type of Stagefright vulnerability was found in all Android operating systems starting from Android 1.0 that would expose the users to malicious attacks through corrupted MP3 and MP4 files.
According to Zimperium, these files don’t even have to end up on a user’s phone, as they can be manipulated through the web and code can be introduced into their strings that can easily be picked up by vulnerable devices when streaming video or audio on the web or through a dedicated application. The vulnerability would expose the media library of the device and thus the privacy of the user, but through the media library and its attached protocols, attackers can further exploit the operating system and be able to take full control of the device.
As various Android phones are still getting Android 5.1.1 Lollipop, which contains the Stagefright fix, other users should be preparing for yet another minor update. Google is going to roll out the Stagefright mark II fix on Monday to its partners, and carriers as well as unlocked phones should be getting the fix in a matter of weeks. Unfortunately, Zimperium says there’s no way to prevent attackers from exploiting the vulnerability at this point, save for extreme caution. Until a proper patch is released, all Android devices will be vulnerable.
The Stagefright 2 vulnerabilities are dangerous to users especially because the exploit code that is injected in media can be streamlined to the device without the user actually accessing the file – a preview is enough. The good news is most people familiar with malware will not be fooled, as the attacker will eventually have to lead them to download malware in order to infect their devices.
That’s why everyone needs to make sure of their sources and always pay attention to what they’re tapping and downloading. Never download from unknown sources and never run unknown apps or open unknown, suspicious files on any device. Alternatively, you can use the Stagefright vulnerability detection tool to check if you’re in trouble. Until the patch is released, vigilance is key.