Researchers at Zimperium, a specialist cybersecurity company, has announced that it has found another major vulnerability in the Android operating systems that many of us use on our mobile devices.
A blog post published by Zimperium says “Meet Stagefright 2.0, a set of two vulnerabilities that manifest when processing specially crafted MP3 audio or MP4 video files.” Nearly every single device since Android 1.0, released in 2008, is affected according to the blog post. The researchers were able to exploit the flaw in devices running Android 5.0 and later, and conceptually nearly every single device since Android 1.0 (2008) could be affected. According to Zimperium, earlier devices could be impacted through media players and instant messenger that use the Stagefright library.
Media files carry additional information called metadata, which is processed when the file is opened or previewed. This means the video or audio file on the device would not even need to be opened by the user for the attack to occur. Once the device was infected, the most likely method an attacker would use would be via a web browser.
How might this happen in a real environment?
- An attacker will try to convince you to visit a link that points to an infected website via either a malicious ad campaign or using spear-phishing techniques.
- An attacker on the same network as you could inject the exploit by intercepting your mobile network traffic destined for the browser.
- Infection of 3rd party apps that are using the vulnerable software library.
Zimperium has said that they notified Google’s Android Security team in August, and that Google responded quickly to try and fix it. They’ve also said that full technical details of the exploit will not be released publicly until Google has confirmed that the issue has been fixed and is available to users.
Bugs and vulnerabilities in operating systems are not uncommon. This exploit highlights the need for users to ensure that their devices are running the very latest version of their operating system and applications.
Unfortunately, unlike the first time Stagefright appeared, when disabling the automatic retrieval of MMS messages could prevent your device from being infected, this time we need to wait for the update from Google, our phone carrier as well as our handset manufacturers to make it available to us.
In the meantime there are some precautions you can take:
- Check with your handset provider or carrier for a patch/update.
- Update all the apps you have on your device.
- Avoid downloading media files from untrusted sources, and even when trusted, use caution.
- If you haven’t disabled the ‘Auto retrieve MMS’ feature, switch it off now.
Remember, the most important thing you can do is keep your operating system and apps up to date. For that extra layer of protection, download AVG AntiVirus for Android to help protect your devices against malicious phishing sites.
Follow me on Twitter @TonyatAVG