Just as Android device manufacturers began patching the previous round of Stagefright vulnerabilities, a whole new collection of flaws have been discovered by security firm Zimperium that threaten over a billion Android-powered phones.
The vulnerabilities, which are being dubbed 'Stagefright 2.0' by researchers at Zimperium, are activated when an Android device is forced to process booby-trapped MP3 or MP4 media files. There are two flaws in total, and when combined, an attacker can harness them to execute malicious code.
The first flaw concerns the libutils library and is found in every version of Android since version 1.0. This flaw can be triggered in devices running Android 5.0 or newer by exploiting the second issue in libstagefright, an all-new vulnerability that is yet to be patched.
While remote code execution is possible in all versions of Android newer than version 5.0 by combining and exploiting the two vulnerabilities, it's also possible to attack older devices by targeting the libutils flaw, depending on the third-party apps installed on the device or its pre-loaded functionality.
Zimperium states that the "primary attack vector" for these vulnerabilities is through a web browser, as MMS-based attacks have already been patched in Google's latest versions of Hangouts and Messenger. It's also possible to trigger an attack through unencrypted network traffic interception, and via third-party apps that use the vulnerable libraries.
Google has already been notified of the Stagefright 2.0 bugs, and are set to patch them in an Android update scheduled for release next week. This update should hit Nexus devices shortly, but users of pretty much every other device might remain vulnerable for a lot longer.