It seems Android's Stagefright media library just can't catch a break. Zimperium, the security company that was also the first one to uncover the first major vulnerabilities in Stagefright earlier this year, uncovered yet a few more vulnerabilities affecting over a billion Android users.
"Stagefright 2.0," as the researchers called the new set of vulnerabilities in Android's media library, manifest when processing specially crafted MP3 audio or MP4 video files.
The first vulnerability (found in libutils) affects all Android versions down to 1.0, which was released in 2008. By using a second vulnerability found in libstagefright, the researchers managed to exploit Android 5.0+ devices as well.
Using the two libutils and libstagefright vulnerabilities, attackers can do remote code execution on Android 5.0+ devices, while on older devices they only need the libutils vulnerability.
What the attackers could do is create MP3 or MP4 files that can infect the users' devices as soon as the files are previewed, by taking advantage of the processing of metadata in the files, where the vulnerability lies.
According to Zimperium, an attacker would do the following things to infect users:
- An attacker would try to convince an unsuspecting user to visit a URL pointing at an attacker controlled website (e.g., mobile spear-phishing or malicious ad campaign).
- An attacker on the same network could inject the exploit using common traffic interception techniques (MITM) to unencrypted network traffic destined for the browser.
- 3rd party apps (Media Players, Instant Messengers, etc.) that are using the vulnerable library
Zimperium notified the Android security team on August 15 about this vulnerability, and a patch is expected to arrive on Nexus devices next week. Once the patch is available, the Zimperium Stagefright Detector app will also start identifying which devices are still vulnerable. A proof of concept exploit will also be shared with the Zimperium Handset Alliance members later this month.
The company also noted that it expects to see many more such vulnerabilities and exploits in this area in the future. Seeing how many Stagefright vulnerabilities have been found in such a short time and how many devices they affect, it would probably be a good idea for Google to rewrite the media library from scratch in a much safer way for the next major release of Android.