In the three months that have passed since the Stagefright exploit was first discovered, this security flaw in Android managed to create a rupture in the entire Android ecosystem. Although Google has patched the bug in a comparatively timely manner, it was up to manufacturers to implement the patch, and up to carriers to send it out to consumer devices. As a result, many smartphones, especially entry-level and mid-range devices still remain vulnerable to the initial Stagefright bug to this day.
With the initial Stagefright vulnerability, attackers could take control over an Android device by sending an MMS containing a malicious video. This time around, Zimperium has discovered a way to hack Android devices through a malicious audio file, encrypted in either the MP3 or the MP4 file formats.
Once again, the trouble is all in the way that Android previews the multimedia files it encounters. For example, if your Android device visits a web page where the malicious audio file is hosted, the OS tries to preview the file. At this point, your device will be infected. Since the vast majority of Android devices use some version of the preview function, there’s no limit to the potential magnitude of this new attack. According to the researchers at Zimperium, about 950 million Android devices could be vulnerable to the new Stagefright exploit.
Notified of the new Stagefright security flaw before Zimperium publicly announced the discovery, Google has announced that the patch for this exploit is included in the October Monthly Security Update for Android, which rolled out to manufacturers on September 10th. Google’s own Nexus devices will get the patch on October 5th.
Zimperium says that they have yet to see the exploit being used in the wild, but does that alleviate your paranoia? Drop us a comment in the section below and share your thoughts!