Advertisement

We need your help now

Support from readers like you keeps The Journal open.

You are visiting us because we have something you value. Independent, unbiased news that tells the truth. Advertising revenue goes some way to support our mission, but this year it has not been enough.

If you've seen value in our reporting, please contribute what you can, so we can continue to produce accurate and meaningful journalism. For everyone who needs it.

Wally Santana/Associated Press

More than a billion Android devices are vulnerable to second Stagefright bug

This time, an attack can happen just by previewing a song or video on your phone.

MORE THAN A BILLION Android devices are at risk from a flaw that can infect devices when they preview an audio or video file.

Mobile security company Zimperium Labs discovered two new vulnerabilities that could put these devices at risk. Called Stagefright 2.0, an attacker can use a specially-created MP3 or MP4 file to access an Android device’s code to track or take information or make changes remotely.

The same company discovered the original Stagefright bug and announced it back in July. That bug could see Android devices infected just by sending a text message to Google Hangouts or Messenger apps.

The issue lies with Android’s preview function, which processes the metadata within the files, and since Google Hangout and Messenger have been updated, the attack would be carried out through a web browser.

The vulnerability lies in the processing of metadata within the files, so merely previewing the song or video would trigger the issue. Since the primary attack vector of MMS has been removed in newer versions of Google’s Hangouts and Messenger apps, the likely attack vector would be via the Web browser.

The first vulnerability, found in the libutils code library, impacts almost every Android device as far back as 2008 while the second (libstagefright which is used to process media files) only affects those running Android version 5.0 and above.

However, there have been no examples where the flaws were exploited in public, and the details of said exploits have been kept private to prevent anyone from discovering it.

Zimperium Labs notified the Android Security Team of the issue back in August and an update has been shared with manufacturers. However, a fix for the second vulnerability hasn’t been provided yet.

While it is worrying that such flaws and vulnerabilities exist, the best way to keep yourself safe is to apply common sense when using your phone.

Always use approved apps, keep away from any sites or services that may look shady and don’t download content from unknown sources (for unapproved apps, you can check this by going into Settings > Security and making sure ‘unknown sources’ is turned off).

Read: Meet the man who managed to buy Google.com from Google >

Read: Use Tinder? There’s a big change on the way >

Readers like you are keeping these stories free for everyone...
A mix of advertising and supporting contributions helps keep paywalls away from valuable information like this article. Over 5,000 readers like you have already stepped up and support us with a monthly payment or a once-off donation.

Author
Quinton O'Reilly
View 7 comments
Close
7 Comments
    Submit a report
    Please help us understand how this comment violates our community guidelines.
    Thank you for the feedback
    Your feedback has been sent to our team for review.
    JournalTv
    News in 60 seconds