According to NorthBit’s research (see full PDF here), the security concern comes from Stagefright, Android’s mediaserver and multimedia library.
This isn’t the first time Google has struggled to safeguard Stagefright. Back in October last year, news surfaced that over a billion Android devices might be exploited through a vulnerability in the multimedia library.
Since then Google has issued multiple patches, but Stagefright’s problems keep on coming back.
NorthBit says that devices running Android versions 2.2 through 4.0 as well as 5.0 and 5.1 are most susceptible to the new exploit.
The research additionally estimates that there’s about 275 million devices running the compromised versions, though it is difficult to tell how many of them might be at danger.
NorthBit says that particularly vulnerable to attacks are Nexus 5 devices running stock ROM. Other models that the company has successfully hacked include HTC One, LG G3 and Samsung S5.
Fortunately, attackers won’t have an easy time hacking your phone – not unless they manage to trick you.
As NorthBit shows in this video, exploiting Stagefright’s new vulnerability involves a fair degree of social engineering, making it much less likely for hackers to succeed in their attempts.
Attackers won’t be able to bypass your security unless you get tricked into clicking an infected link and staying on that Web page long enough for the exploit to complete – a process that could take anything between a few seconds and two minutes.
So until Google issues its next fix for Stagefright, Android users better tread the Web lightly.
Update March 18 6:35p ET:
Google has specified that it has released a fix. See its full statement below.
“Android devices with a security patch level of October 1, 2015 or greater are protected because of a fix we released for this issue (CVE-2015-3864) last year. As always, we appreciate the security community’s research efforts as they help further secure the Android ecosystem for everyone.”