A new ‘Stagefright’ vulnerability uncovered by security researchers at Zimperium zLabs could compromise your Android phone just by opening an MP3 file.
One of the new exploits reportedly affects every device from version 1.0, which was released in 2008, and the other impacts devices running 5.0 and above.
Do business with 5,000 people
Momentum by TNW is our New York technology event for anyone interested in helping their company grow.
The attack — dubbed Stagefright 2.0 — is related to the processing of metadata within a MP3 or MP4 video file. Previewing a specially crafted song or video would execute the exploit, which would allow an attacker to execute remote code.
It also affects third-party apps, as the bug is found within the libstagefright library leveraged by some media players. The exploit has not been spotted in the wild at time of writing.
There is no proof-of-concept code for the bug as it is still unpatched, but the company will update its Stagefright detection app once a fix is released.
The researchers reported the bug to Google on August 15th, which plans to release a patch in the next Nexus Security Bulletin scheduled for the second week of October.
According to Motherboard Android Marshmallow will incorporate the fix, though that’s limited to only recent devices.
Unfortunately for older devices that no longer receive updates, it’s likely this security flaw will ever be patched, leaving them susceptible to it until they manually flash a new version of Android.
An attack like this in the wild on the internet could be catastrophic, as it only requires the user to visit a URL containing the malicious file, which could be executed on download within a song that appears legitimate.
➤ New Vulnerability Processing MP3/MP4 Media [Zimperium]
Image credit: Shutterstock