It wasn't so long ago that a security researcher spotted a serious bug on Google's Android mobile operating system. It was called Stagefright, referring to the library that has the bug. Google vowed to release a patch that would fix it, but phones locked into carriers have yet to receive the update. Only Google's Nexus devices have received the patch.
But things are about to get worse. On Thursday, the same security researcher revealed two new Stagefright bugs that allow attackers to inject malicious code into Android devices. Joshua Drake, Vice President of Research at Zimperium zLabs, discovered the bugs.
Stagefright 2.0, Drake says, is a set of two vulnerabilities that were found in the Android media playback engine, allowing attackers to penetrate devices by tricking users to visit a website hosting a malicious multimedia file, which could be in an mp3 or mp4 format. Simply put, the vulnerabilities can be exploited using specially crafted media files containing infected metadata. Users who preview or view these files will be attacked.
Mr. Drake adds that the attack vector could be a web browser. This means that users will be directed to an infected website. Even worse, attackers can exploit the security flaw via Wi-Fi, using traffic interception techniques to fool users to click on a URL. The vulnerability can also be manipulated through 3rd party applications such as media players and instant messengers.
Zimperium zLabs claims that around 950 million Android devices are vulnerable to the bugs. The company's founder, Zuk Avraham, said that the number could be higher, likely around 1.4 billion. “I cannot tell you that all of the phones are vulnerable, but most of them are,” Avraham tells Motherboard.
Specifically, the first bug affects almost every Android device released since 2008. The second bug can be paired with the first to exploit Android devices running version 5.0 and up. Zimperium zLabs plans to share a proof-of-concept to the public once a patch is available.
Google said that it would release a new patch to Nexus phones on October 5. Other Android devices from Motorola, Samsung, LG, Sony, HTC, Huawei, and Lenovo will receive the patch via carriers.
Buy Now: Sony PlaysStation VR In Stock Here
Security has long been an issue on Android. Stagefright 2.0 reminds us that no OS is perfect, even the open source Android. The problem with Android (except for Nexus devices) is that the updates are slow and untimely. That's because the updates have to be delivered through manufacturers and carriers. “It’s likely that there are more bugs,” Avraham said.
Source: Zimperium zLabs
Don't Miss: Sam's Club Black Friday 2016 Details