1. TechSpot is dedicated to computer enthusiasts and power users. Ask a question and give support. Join the community here.
    TechSpot is dedicated to computer enthusiasts and power users.
    Ask a question and give support.
    Join the community here, it only takes a minute.
    Dismiss Notice

Stagefright 2.0 leaves over a billion Android smartphones vulnerable

By Scorpus
Oct 1, 2015
Post New Reply
  1. Just as Android device manufacturers began patching the previous round of Stagefright vulnerabilities, a whole new collection of flaws have been discovered by security firm Zimperium that threaten over a billion Android-powered phones.

    The vulnerabilities, which are being dubbed 'Stagefright 2.0' by researchers at Zimperium, are activated when an Android device is forced to process booby-trapped MP3 or MP4 media files. There are two flaws in total, and when combined, an attacker can harness them to execute malicious code.

    The first flaw concerns the libutils library and is found in every version of Android since version 1.0. This flaw can be triggered in devices running Android 5.0 or newer by exploiting the second issue in libstagefright, an all-new vulnerability that is yet to be patched.

    While remote code execution is possible in all versions of Android newer than version 5.0 by combining and exploiting the two vulnerabilities, it's also possible to attack older devices by targeting the libutils flaw, depending on the third-party apps installed on the device or its pre-loaded functionality.

    Zimperium states that the "primary attack vector" for these vulnerabilities is through a web browser, as MMS-based attacks have already been patched in Google's latest versions of Hangouts and Messenger. It's also possible to trigger an attack through unencrypted network traffic interception, and via third-party apps that use the vulnerable libraries.

    Google has already been notified of the Stagefright 2.0 bugs, and are set to patch them in an Android update scheduled for release next week. This update should hit Nexus devices shortly, but users of pretty much every other device might remain vulnerable for a lot longer.

    Permalink to story.

  2. Darth Shiv

    Darth Shiv TS Evangelist Posts: 1,690   +403

    How does one get an updated Messenger application? Is that an app updatable via the Play Store?
  3. misor

    misor TS Evangelist Posts: 1,203   +214

    core android messenger app gets updated regularly and can be updated via play store or automatically if you allow your android device to update in the background via wifi and/or thru data plan.

    my android 5.1.1 'messenger update has this feature: support for android 6 marshmallow.
    Darth Shiv likes this.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...