‘Stagefright’ Bug Hijacks 950 Million Android Phones via MMS Text

Stagefright Bug

Over 1 billion Android users have been reported vulnerable to Stagefright 2.0. Malware code execution has been confirmed on Android 5.0 and later via the libstagefright function. Older devices are potentially vulnerable through apps that use the libutils function. Stagefright 2.0 are a set of vulnerabilities that allow attackers to get access from an Android device. The vulnerability allows attackers to access your phone remotely. Not too long ago its predecessor, Stagefright 1.0, was successfully patched by Android. Nonetheless, a security analyst at Zimperium Security discovered two new vulnerabilities that attack mobile users through MP3 and MP4 files.

Back in April, security analysts at Zimperium Security identified vulnerabilities in the Android OS. This vulnerability was named Stagefright 1.0. Stagefright 1.0 would attack the smartphone by sending SMS with malicious metadata. Google released an update to patch the vulnerabilities. Afterward, researcher Joshua J. Drake from Zimperium Security continued his research and discovered two new vulnerabilities. Instead of using SMS as a vector for attack, the new vulnerabilities, Stagefright 2.0, attack by using corrupted MP3 and MP4 files.

Logo of Stagefright 2.0 vulnerability.

Logo of Stagefright 2.0 vulnerability.

The vulnerability works by running metadata in MP3 or MP4 files. Once these files are viewed on an Android device, meta code in the MP3 and MP4 files allows the attackers to execute commands on the phone remotely. As stated by security analysts at Zimperium, attackers use the following three methods to exploit the vulnerability:

  • By doing phishing campaigns where attackers send web URLs leading to the attackers web domain.
  • An attacker on the same unsecured network can inject the exploit to the network.
  • Third-party apps that are using the vulnerable library.
Image shows how the the vulnerability executes arbitrary code. Source: blog.zimperium.com

Image shows how the the vulnerability executes arbitrary code. Source: blog.zimperium.com

Over 1 billion Android users have been reported vulnerable to Stagefright 2.0. Malware code execution has been confirmed on Android 5.0 and later via the libstagefright function. Older devices are potentially vulnerable through apps that use the libutils function.

As of now, the best way to protect yourself from Stagefright 2.0 is to avoid suspicious MP3 and MP4 files from suspicious or unknown sources. Also, be wary of opening links from questionable sources. Just previewing a video in a compromised site will execute the Meta code. Google will be releasing updates to resolve the vulnerabilities in the following days.

Leave a Reply

Your email address will not be published. Required fields are marked *