14 DAY TRIAL // Zimperium zLabs, the company that discovered the first Stagefright Android vulnerability, is now reporting that it has found two new flaws which affect all smartphones running versions of Android starting with 1.0 and higher.
These 2 new flaws have been named Stagefright 2.0, since they seem to work in a similar fashion to the original vulnerability.
While Stagefright 1.0 relied on sending malicious MMS messages to remotely exploit the victim's smartphone, this attack vector has been closed by Google in recent updates.
Stagefright 2.0 is exploitable via malicious MP3 and MP4 multimedia files
The new Stagefright 2.0 vulnerabilities rely on injecting malformed audio and video files in Web traffic, which can be opened via Web browsers, multimedia players and IM applications.
As Zimperium explains, the "two vulnerabilities [...] manifest when processing specially crafted MP3 audio or MP4 video files," and more specifically when the Android operating system reads metadata from audio and video files for preview and playback purposes.
The first vulnerability is found in the libutils library (CVE-2015-6602) and affects all devices running Android starting with version 1.0, released back in 2008.
The second vulnerability is found in the libstagefright library (CVE-2015-3876), and only affects devices running Android 5.0.
Both vulnerabilities would allow attackers to remotely execute code on your device and then take over your phone. According to Zimperium, around 1 billion Android devices are affected by this issue.
Google will release a patch next week
Zimperium says they reported the two problems to Google on August 15, and the company is preparing to patch them next week, during the next Nexus Security Bulletin.
The Stagefright Detector app will also be updated to detect these vulnerabilities once Google issues patches next week.
The company has also said that they don't plan to share a proof-of-concept video just yet, planning to wait until most of the general public has patched their phones.
Zimperium's work in the field of Android security has been of great impact, Stagefright being the reason why Google, LG, and Samsung, are now releasing monthly over-the-air updates for their Android devices.