Stagefright is back: More than 1 billion phones can be hacked with 1 video or song
It’s time to evacuate the Android dance floor—lest you be infected by the sound.
Two new critical vulnerabilities in Google’s mobile operating system announced by security researchers on Thursday put more than a billion Android devices at risk of being hacked. That means “almost every Android device” is affected, ranging from Android version 1.0 to the latest version 5.0, also known as “lollipop,” the researcher said.
Attackers can exploit these computer bugs by tricking users into visiting websites that host malicious MP3 or MP4 files. Once a victim previews one of these infected multimedia files, which commonly package music or video, that person’s machine can swiftly be compromised. The issue involves how Android processes these files’ metadata through a media playback engine named Stagefright.
This is not the first time that researchers have found this portion of Android’s code to be massively vulnerable. Zimperium zLabs, the mobile security firm that discovered the flaws, disclosed a set of seven monumental Stragefright bugs earlier this year. Those vulnerabilities could have enabled hackers to hijack as many as 950 million Android devices through a single infected multimedia text message.
Like the first set of Stagefright bugs, the latest couple—dubbed “Stagefright 2.0” by the researchers—allows attackers to take control of a compromised device and to access its data, photos, camera, and microphone. Taken together, the new issues are even more pervasive as they affect more devices.
The first of the new bugs—labeled CVE-2015-6602—affects nearly every Android device released since the first generation of the software debuted in 2008. The second bug—CVE-2015-3876—impacts versions 5.0 and up, and makes the problems easier to trigger.
Fortune spoke to Zuk Avraham, founder and chairman of Zimperium, about the firm’s findings. Although he withheld certain information (to prevent others from taking advantage of the bugs), he did compare them to the first generation Stagefright flaws. “It’s as critical a vulnerability,” he said. “It can do the same kind of damage.”
Since Google (GOOG) has, as a result of the first Stagefright disclosures, patched the mechanism in its Hangouts and Messenger apps by which Android automatically processed media files upon receipt, that means exploiting Stagefright 2.0 requires a different tactic. Simply sending an infected MP3 or MP4 filed to a victim will not immediately detonate its payload. Instead, the attacker must trick a recipient into either viewing a video or listening to a song via a compromised network, through a web browser, or through a vulnerable instant messenger, media player, or other third-party app.
Avraham added that his team had not invested the time to determine which apps and media players in particular might be vulnerable, since many of these are vendor or carrier-specific and would have taken too long given the variety of applications within the fragmented Android manufacturing ecosystem. Android devices of the version 5.0 and above, however, don’t need the additionally vulnerable apps, he said. These devices instead can be “hacked out of the box.”
Joshua Drake, who headed research on this project as well as the prior work, disclosed the bugs to Google on August 15. “These issues are equally exploitable as the original Stagefright issues,” Drake told Fortune via email, passed along by a spokesperson. They “have been assigned a critical rating by the Android Security Team under the following clause,” he continued, pointing to an Android security resources page that contains severity ratings.
Under “critical” one finds the following: “Remote privileged code execution (execution at a privilege level that third-party apps cannot obtain.” That’s the bucket Stagefright 2.0 falls under.
A Google spokesperson told Fortune via email that the company already has patches in the queue. “As announced in August, Android is using a monthly security update process,” the spokesperson said, referencing the company’s decision to release fixes on a more regular schedule in the wake of the first Stagefright disclosures. “Issues including the ones Zimperium reported, will be patched in the October Monthly Security Update for Android rolling out Monday, October 5th and will be posted about here.”
That means patches will be publicly available for the company’s Nexus devices starting Oct. 5th. The spokesperson told Fortune that the company provided fixes to its Android manufacturing partners and carriers on Sept. 10, and that it is working with those companies “to deliver updates as soon as possible.” Attacks exploiting the bugs have not yet been reported in the wild, the spokesperson said.
Fortune is still waiting to learn when Android’s partnering phone manufacturers plan to roll out their patches. We will update this story when we hear back.
You can find out whether your device is vulnerable using Zimperium’s Stagefright detector app, which is available in the Google Play store. In the meantime, be extra cautious of the media you download. Stop these beats from killing you.
Do not—I repeat, do not—let the music take you underground.
For more on Stagefright, watch this video below.