Zimperium Zlabs has disclosed a new Android vulnerability it's calling Stagefright 2.0. In case that name isn't ringing any bells, it's a bug in an Android multimedia component that can allow an attacker to perform remote code execution, sometimes without any user interaction. The previous version affected an estimated 950 million handsets, and the new one version has the potential to affect even more.
Zimperium discovered two more distinct vulnerabilities in the way the operating system handles metadata in MP3 and MP4 files. The first vulnerability is CVE-2015-6602, and it lies in an Android component called libutils. According to Zimperium, the vulnerability "impacts almost every Android device since version 1.0 released in 2008." Those older devices can be exploited if libutils is used by preloaded or carrier-provided applications and a specially-crafted file is previewed or opened.
The second vulnerability affects devices running Android 5.0 or later, and again lies in the libstagefright component. Zimperium has confirmed that this bug can also allow an attacker to execute remote code.
In order to exploit the vulnerability, all one has to do is lead the user to preview or open a specially-crafted MP3 or MP4 file. Should that happen, any code of the attacker's choice can be executed in the victim's device, which would likely result in a complete takeover of the system.
Previously, the Stagefright vulnerability could be exploited with an MMS message, but Google has since updated both Hangouts and Messenger to work around that issue. However, users are still in danger if they click a link to a malicous file, or should a computer on the same network intercept traffic and inject the exploit. Third-party media player apps using the vulnerable system librares are affected, as well.
Zimperium reported the issues to Google's Security Team on August 15. The company will be providing fixes in next week's Nexus Security Bulletin. Zimperium will also be updating its Stagefright Detector App to look for the new vulnerability. As for system updates for non-Nexus devices, it's anyone's guess. Some OEMs have promised monthly security updates, but patched Android versions are still rolling out slowly, if at all.