Stagefright has become the gift that keeps on giving. However, these aren’t fun gifts like ponies or Turboman action figures, rather these are the scary kind that expose our Android devices to external threats.
When the first exploit was discovered in July, the weakness made it possible for attackers to infect a device with malicious code through Android’s MMS multimedia preview feature. Google rushed to patch this vulnerability, but only two weeks later a new bug was discovered and a fresh batch of patches had to be cooked up. Now, months after we thought we were relatively safe, Stagefright has returned like horror movie monster in the third act.
Zimperium Security has discovered a new exploit in Stagefright that isn’t protected by any current patches. Attackers could encode malicious software into an mp3 or mp4 audio file. All the user needs to do is preview the infected file, and the program would theoretically infect the device. What’s worse is that this exploit can be deployed on public wifi networks or embedded in webpages, so experts are concerned about the possibility of a self-replicating virus or worm.
Because nearly all Androids make use of a preview function of some sort, the vast majority of Android devices currently in use are vulnerable to this Stagefright exploit. This is troubling news, because even the previous strategies used to deal with Stagefright have proven to be less effective than they were designed to be.
Of course, these types of threats are often not as scary as the FUD news that center around their reports. The odds of actually being infected are pretty low, but it’s still something Google will want to address sooner rather than later. Thankfully, Google has already begun work on patching this new threat, and they are planning on releasing it in October’s monthly security update.
Information related to the exploit have already been handed off to providers, and so far, there are no reports of any actual attacks using this vulnerability. Nevertheless, until the patch comes out, over a billion phones are left vulnerable.