The nightmare might be over, but the scare continues ever so slightly. Security outfit Zimperium labs, who broke the news about the first Stagefright, are now back with some bad news. There is a Stagefright version 2.0. This time, the vulnerability comes from two vectors, one of them the same libstagefright responsible for the first security hole. And this time, it rides on MP3 audio as well as MP4 videos. Fortunately, thanks to the first Stagefright, implementing an exploit requires a bit more work but still possible.
libstagefright is Android’s software library for handling multimedia content. In the first Stagefright vulnerability, the library could easily be exploited to give unauthorized access to devices simply by scanning a corrupted MMS. Google has patched that up by now of course but this second Stagefright moves on to doing the same thing when scanning maliciously crafted MP3 and MP4 files.
Because of Google’s actions to plug up the MMS security hole, implementing an actual attack exploiting this vulnerability is a bit harder to do. Whereas the scarier Stagefright kicked into action the moment a user receives an MMS (thanks to some rather odd default settings in messaging apps), this second one will require an attacker to fool users into visiting a website from their mobile device or playing such a corrupted file using a vulnerable Android app.
The range of affected devices are wider on this one because Stagefright 2.0 is actually two vulnerabilities in one. The first is related to a different library called libutils which is used by some third party apps, especially vendors and carriers, and can be found in Android versions dating back 1.0. The second affects libstagefright again and affects even Android 5.0 or later.
Google has already been informed about Stagefright 2.0 and has already assigned a tracking number for the libutils vulnerability. However, it has yet to acknowledge the libstagefright exploit.