A billion Android devices could be vulnerable to Stagefright 2.0 bug

Zimperium Zlabs has disclosed a new Android vulnerability it's calling Stagefright 2.0. In case that name isn't ringing any bells, it's a bug in an Android multimedia component that can allow an attacker to perform remote code execution, sometimes without any user interaction. The previous version affected an estimated 950 million handsets, and the new one version has the potential to affect even more.

Zimperium discovered two more distinct vulnerabilities in the way the operating system handles metadata in MP3 and MP4 files. The first vulnerability is CVE-2015-6602, and it lies in an Android component called libutils. According to Zimperium, the vulnerability "impacts almost every Android device since version 1.0 released in 2008." Those older devices can be exploited if libutils is used by preloaded or carrier-provided applications and a specially-crafted file is previewed or opened.

The second vulnerability affects devices running Android 5.0 or later, and again lies in the libstagefright component. Zimperium has confirmed that this bug can also allow an attacker to execute remote code.

In order to exploit the vulnerability, all one has to do is lead the user to preview or open a specially-crafted MP3 or MP4 file. Should that happen, any code of the attacker's choice can be executed in the victim's device, which would likely result in a complete takeover of the system.

Previously, the Stagefright vulnerability could be exploited with an MMS message, but Google has since updated both Hangouts and Messenger to work around that issue. However, users are still in danger if they click a link to a malicous file, or should a computer on the same network intercept traffic and inject the exploit. Third-party media player apps using the vulnerable system librares are affected, as well.

Zimperium reported the issues to Google's Security Team on August 15. The company will be providing fixes in next week's Nexus Security Bulletin. Zimperium will also be updating its Stagefright Detector App to look for the new vulnerability. As for system updates for non-Nexus devices, it's anyone's guess. Some OEMs have promised monthly security updates, but patched Android versions are still rolling out slowly, if at all.

 

Comments closed
    • ronch
    • 4 years ago

    I don’t expect to ever get an update for my stupid crappy Samsung tablet. I swear, I’m just putting up with it because when my Nexus 7 2013 broke this damn thing was just lying around all boxed up and I thought it’d be a waste to chuck it in the bin and shell out money at a time when I need to control my expenses.

      • jihadjoe
      • 4 years ago

      From experience Samsung provides excellent support for their flagship devices, and next to none for everything else. My Galaxy S4 is pretty long in the tooth now, but it was updated to every major Android version, including 5.01 a few months ago.

      I also have one of their cheap tablets, which I got because of the great way they handled the S4. Support for the tablet, however, has not been good to say the least.

    • ronch
    • 4 years ago

    To be honest im not sure I trust Zimperium themselves. They remind me of Cheetah Mobile CM Security (Android) and 360 Total Security (PC) and how there are rumors that these apps trigger false alarms to scare the user into buying the paid version of their apps.

    My experience with CM Security is how it tells me it found the Stagefright and BroadAnywhere vulnerabilities and I should tap on ‘fix’ to fix the issues. Really now. And after reading this article I download Zimperium’s Stagefright detector and zIPS. Judging by the comments on zIPS at the Play Store I’m not sure Zimperium’s the Good Samaritan we’d like to think they are either.

      • BlackDove
      • 4 years ago

      Cheetah and 360 are Chinese. You should never use Chinese “security” software. Its basically malware itself.

    • albundy
    • 4 years ago

    “Should that happen, any code of the attacker’s choice can be executed in the victim’s device, which would likely result in a complete takeover of the system.”

    and that’s why removable batteries should be standard. pop that sucker out then in, and wipe phone. just make sure that all your personal files are on the microSD card.

    • UnfriendlyFire
    • 4 years ago

    I still haven’t gotten any security patches for my first-gen Moto G yet, including the fix for the first stagefright. And I’m not sure if the Android 4.4.4 Kitkat will be getting one either.

    Here’s the fun part, I bought the phone separate from the contract because the 2-year contract was more expensive in the long run and did not allow me to switch out SIM cards if I travel abroad.

    Which means the carrier could care less about my phone as its approaching the magical “two-year” mark.

    Imagine if MS yanked all security support for Windows 7 and 8 as soon as Windows 10 launched…

      • VincentHanna
      • 4 years ago

      Do.It.Yourself.

      • strangerguy
      • 4 years ago

      Anybody who a little knack for analyzing business models would have recognized that Google is a demon in sheep’s clothing; Only Google wins in Android while everyone else involved in the business loses in the long run.

      Lack of end user support is a calculated risk move as they know they can get away with it, as long as they command an enormous market share. Android fragmentation is also a non issue for them either as long as they can put the latest Gapps in user hands…Why do you think Google spent so much effort to migrate Gapps from core Android to the Play Store? The answer is obvious; these are things that directly make money for Google in advertising and data mining.

      Device price wars is good for Google because cheaper = more devices = more advertising and data mining revenue. OEMs struggling? Let them die, because somebody that can make things even cheaper will replace them.

    • Zizy
    • 4 years ago

    The first one is lovely, since v1. Not many bugs survive that long, they are usually fixed by accident at least. But to be honest, v1 for Android wasn’t that far ago.
    The second one is luckily only for 5.x, which doesn’t work anyway so one extra issue won’t change a thing.

    If MS stops shooting themselves in foot, they could grab a lot of market share in enterprise. Home users don’t really care till the issue hits them personally – Snapchat outweighs all those vulnerabilities.

    • rika13
    • 4 years ago

    Android’s security problem has nothing to do with being (supposedly) open. It and iOS both have open kernels (Linux and XNU) and some open libraries, and they both have a closed userland on top of them.

    The reason why Android security (and the reason why Android sucks in general) is because of everyone not Google. This is not removing responsibility from Google, in fact, quite the opposite, as Google was the ones who allowed this situation to happen to begin with.

    Firstly, is the update model. Apple pushes updates directly to the device. MS has a service pack-like update system for W8 phone and will be pushing updates directly to devices with W10 phone. Google, on the other hand, releases updates to the OEMs, who then have to incorporate them into their devices and throw their “value-add”, then they release them to carriers, who then slaps “value-add” software on, and then the carriers may or may not push the updates.

    The second problem is fragmentation. Samsung, LG, HTC, and other each have their own UIs and “value-add” software. This means someone used to Samsungs is completely lost when they get an LG or HTC.

    Google needs to create a universal hardware specification, like PCs have. Windows runs on Intel or AMD chips, nVidia or AMD GPUs, Realtek or VIA (or even USB) sound cards, etc. There should be something similar with Android, a unified UI and the ability for it to run on a set of compatible hardware.

      • brucethemoose
      • 4 years ago

      Unfortunately, Android OEMs/Carriers love their bloatware. I don’t think Google can just tell them to dump their custom software without alienating them.

      If you think they’re willing, remember what OEMs are afraid of. That “universal hardware specification” in Windows is exactly what created the race to the bottom in the PC market that ate their margins.

    • ozzuneoj
    • 4 years ago

    When you say that this would likely lead to “complete takeover of the system” to what extent are we talking here?

    I don’t know much about Android, or Linux, especially from a security perspective, so bear with me.

    There are still many devices that are unrootable or have unlock-proof bootloaders that even the experts (who sell their services) have given up on.

    I would assume that despite this vulnerability, bootloaders are still protected and no root access is exposed, otherwise this exploit could be used intentionally to provide root access or unlock the bootloader on any device, and any version of the OS. This would be HUGE news. We would be hearing about it if this were possible.

    So then, I can’t help but think that this exploit cannot lead to anything more serious than you would get by downloading an app from the market that has no root access. Sure, the integrity of your data is possibly compromised, but really… has this actually been exploited in any way yet?

    Vulnerabilities like this often seem like they are blown way out of proportion just to make headlines and stir people up.

    I guess I shouldn’t be surprised. Less people are upgrading their phones because they’ve been decent for a while now… why not tell them that every phone not on the short list needs replaced because “VULNERABLE”.

    • odizzido
    • 4 years ago

    If android hardware makers were forced to provide drivers for their devices then people could install their own updates.

    • LoneWolf15
    • 4 years ago

    Now we know what happens when you don’t insist on some measure of control of your own operating system put on vendor/carrier devices. When something goes badly wrong, vendors don’t give a crap, and you’re the one that looks bad.

    Coulda, woulda, shoulda. And it’s sad, because feature for feature, I like Android a lot better than its competitors.

      • rxc6
      • 4 years ago

      You mean like the Nexus 4, Galaxy Nexus, and Nexus 7(2012)? Yeah, it sucks when vendors (Google) stop updating their devices.

        • shank15217
        • 4 years ago

        Nexus 4 has the latest version of Android and its patches, try sgain.

          • rxc6
          • 4 years ago

          Sure. For how long? A week?

          [url<]http://arstechnica.com/gadgets/2015/09/marshmallow-updates-start-rolling-out-to-older-nexus-devices-next-week/[/url<]

            • PixelArmy
            • 4 years ago

            “Nexus devices will continue to receive major updates for at least two years and security patches for the longer of three years from initial availability or 18 months from last sale of the device via the Google Store.” – [url<]http://officialandroid.blogspot.com/2015/08/an-update-to-nexus-devices.html[/url<] Officially, security patch support for the N7 (2012) ended this past July and support for the N4 will end in November. Of course, Google might continue support even past those dates, as the N7 (2012) did get the last security patch and both devices did still get lollipop. I'd say it is likely the security patches will still follow past expiration due to the high profile nature of these bugs. (And a 3+ year run for those devices is pretty good.)

            • rxc6
            • 4 years ago

            The N4 is powerful enough to run the newer version of Android. I don’t like this idea of smartphones remaining as a disposable device. If devices from before that time (iPhone 4S) and that launched at the same time (Lumia 920) can be updated to their corresponding latest OS version, why would anyone let Google off the hook for its device??
            Nexus is presented as the well-supported example of the Android world and THIS is all they can offer??? I am krogothed.

            Edit: Grammar.

            • PixelArmy
            • 4 years ago

            Having my old N4 as a backup device, I agree that it should get updated, but basing this on Apple and MS (particularly on specific models) is misleading.

            The iPhone 4S was sold as recently as last fall, is not getting everything in iOS 9, will get even slower and is currently the exception. And iPhones cost twice as much as Nexus phones (dulling the disposable-ness issue IMO).

            It is also unclear what their security patch policies are. If we look at another model, the iPhone 4, OS and security updates dropped off after 9 months after the phone was discontinued, whereas the N4 got an OS update 1 year after discontinued and is still getting security patches 2 years out.

            MS/Nokia dropped support for phones < 1 year around the WP8 transition.

            Maybe this is a sign MS and Apple are progressing in terms of support length? Maybe. Is this letting Google off the hook? Maybe. I just think we shouldn’t canonize anyone just yet.

        • albundy
        • 4 years ago

        what i dont understand is why there are no class action lawsuits against the carriers for ignoring the situation.

          • VincentHanna
          • 4 years ago

          I think for a class action lawsuit, you’d need to go after the carriers, the manufacturers and google, since there would likely be a lot of finger-pointing. A jury would need to assign blame.

          The other problem is the damages. How many people out there can show that they were harmed by their carrier’s negligence? Is securing your phone and providing security updates even their job per the contracts that we sign?

      • NovusBogus
      • 4 years ago

      There’s no guarantee that other platforms don’t also have massive crippling bugs that simply aren’t discussed due to few/no white hats having the ability to test code changes. I operate under the assumption that if a device can interact with the rest of the world, the rest of the world can interact with it.

    • BiffStroganoffsky
    • 4 years ago

    At this rate, I am gonna need a new data plan…or camp out at the local Fed-Ex Office location.

    • rxc6
    • 4 years ago

    Another month, another massive Android vulnerability. I wonder what percentage of affected devices will ever see an update.

    • Nevermind
    • 4 years ago

    Only a Billion, guys. Calm down, you make this sound like some sort of problem for Android..

      • Choz
      • 4 years ago

      A billion is probably an exaggeration. In the end it will as if millions of voices suddenly cried out in terror, and were suddenly silenced.

    • sweatshopking
    • 4 years ago

    Any organization trusting android is flipping high.

      • Firestarter
      • 4 years ago

      So what phone would you recommend? Remember: 100% secure phones only!

        • Nevermind
        • 4 years ago

        Oh you had to rub the lamp.. what would he recommend lol. WHAT INDEED!

        • auxy
        • 4 years ago

        There is no good option. This will be computers soon too. It’s too bad nobody listened to RMS [url=https://i.imgur.com/6mPnQIk.png<]20 years ago.[/url<]

          • End User
          • 4 years ago

          [url=https://stallman.org/stallman-computing.html<]"I generally do not connect to web sites from my own machine, aside from a few sites I have some special relationship with. I usually fetch web pages from other sites by sending mail to a program that fetches them, much like wget, and then mails them back to me. Then I look at them using a web browser, unless it is easy to see the text in the HTML page directly. I usually try lynx first, then a graphical browser if the page needs it (using konqueror, which won't fetch from other sites in such a situation)."[/url<]

            • auxy
            • 4 years ago

            OBJECTION! Relevance?

          • NovusBogus
          • 4 years ago

          …well, Android is what happened when the people did listen to him. As you said, no good option.

            • auxy
            • 4 years ago

            What? Android is absolutely infested with binary blobs and closed-source software.

            • Andrew Lauritzen
            • 4 years ago

            Dude you CANNOT make that argument after this last year’s gigantic, consistent open source security fails across the board.

            Open source does not seem to really make things secure; sucks but there’s no debate on that at this point IMO. If OpenSSL and bash had fundamental issues in them, the whole notion is busted. The real problem is the code is too complicated and the few people that sort of understand it make mistakes so it doesn’t matter if you or I can go look at the source code and be like “seems to make sense to me”.

            Only proper solution is domain specific “secure” languages + static code analysis that can prove non-trivial things about code. We’re a ways off of that yet, but there is hope.

            • trackerben
            • 4 years ago

            First of all, devolve all file attachments to secure OS gateway functions. Preferably on a separate VM and stack bound with trusted hardware modules. On a completely separate system and even LAN if possible. Plus intrusion systems there or elsewhere to guard against illicit network transfers.

            • Andrew Lauritzen
            • 4 years ago

            All you’re doing is moving your “code that you have to trust” to the network or VM stack. That’s all fine, but the key point is that *that* code and indeed the firmware and hardware that it runs on in the first place need stringent, provable validation to actually fix this problem in the future.

            i.e. it needs to be at the level of rigor of math, not “software” or even “hardware”.

            You can of course get to “acceptable” with enough sandboxing and so on, but it’s possible to do better, just expensive.

            • trackerben
            • 4 years ago

            That may be so but partly physical methods normally incur collection costs that aren’t there for virtual ones. Validating the security of computing parallel to symbolic operations is always possible. But what can be mitigated by design can be counter-mitigated by design. What framework is there that rigorously excludes any possibility of later operational counters for bypassing security constraints, weakening trust mechanisms, lowering access costs?

            • Andrew Lauritzen
            • 4 years ago

            You’d need to pair it with something like hardware that only runs strongly signed code, etc. and there would obviously need to be physical validation of said hardware.

            • auxy
            • 4 years ago

            Whoa whoa WHOA! Hold on! I wasn’t talking about in the context of security. I actually don’t really care about security. You know I’m a Windows fan in general, so to hear me advocating for “free as in speech” software might seem weird.

            I was talking more generally about the issues surrounding modern computing; how you don’t really own your devices, how you have little control over what applications you are allowed to use/run, about all the surveillance and yes, security problems we have. If EVERYTHING was open-source as was the dream once upon a time, then we would have, well, none of these problems (save for security issues which are arising anyway and harder to find and troubleshoot with closed-source software.)

            I don’t like smartphones, as they are now, for the same reasons I dislike laptops but even more so. You have little control over the hardware in your device or the construction and assembly of it, and more importantly you have no ability to ‘mix and match’ parts as you do with a desktop PC. On a smartphone, the issue even extends to software; you get a complete package or you get nothing, and you can’t even install the OS of your choice on most phones because even if the bootloader is entirely unlocked there are no drivers available for the wildly proprietary hardware inside, since they were never intended to be used that way. It’s all closed-platform walled-garden type stuff, and Microsoft wants to bring that to the desktop, which is REALLY super not OK with me.

            I’m speaking ideally. If everything were open-source, computing now would probably be better. I am not ignorant of the myriad issues with such an idealistic statement; “who would pay for it” and various other concerns. Still, I do think it would be better even then. Unfortunately we’ll never know.

        • blastdoor
        • 4 years ago

        “remember”? Remember what? Who, other than you just now, said that 100% security is the requirement?

        Dichotomizing security, so that security = 1 if 100% and 0 otherwise is a sham.

        There’s a big difference between the occasional (and fixable) imperfections in platforms like Windows and iOS and the security disaster that is Android.

          • sweatshopking
          • 4 years ago

          ^

          • trackerben
          • 4 years ago

          Platforms like WinPhone and iOS get trashed occasionally but their devs strategize smartly and respond systematically. So they’re good enough for most users. But Android now is just trash in terms of security. I mean, mp3/mp4 as exploit bases for a billion-wide vector? What’s next, old avi/mpg libraries?

        • BobbinThreadbare
        • 4 years ago

        Blackberry 10 phones obvi

        • anotherengineer
        • 4 years ago

        Sure a ‘dumb’ phone.

        done and done!!

        • ronch
        • 4 years ago

        Er… Blackphone?

      • trackerben
      • 4 years ago

      That said, using one of the 90% just to make UTMS calls and texts (but for MMS) should not be exploitable by anything other than some three-letter agency or girlfriend. I think.

      • blastdoor
      • 4 years ago

      Google has quite a quandary on its hands. What’s worse — paying the price of fixing security on android, or paying the price of not fixing it?

      In the long run, I think the cost of *not* fixing it will be higher. In the short run, the cost of fixing it will be higher. In most companies, bonuses are based on what happens in the short term. I wonder how it works at Google…

        • sweatshopking
        • 4 years ago

        I’m not sure they can. The competition has been making operating systems and security expertise for years. Google hasn’t. It takes time to build those skills.

        • VincentHanna
        • 4 years ago

        Google has already fixed it. Anyone still running an infected phone is doing so because someone, not google, is standing in their way… Even then, most people have the option to install a new ROM and fix it, whether they know that or not. They just don’t care.

    • BobbinThreadbare
    • 4 years ago

    Looks like Sundar Pichai picked the wrong month to quit sniffing glue.

Pin It on Pinterest

Share This