Google's Android OS suffers another bout of security nerves as Stagefright 2.0 emerges
Stagefright, a security loophole found to affect 95% of Android smartphones, was supposed to have been quashed by updates from the likes of Samsung, HTC and Google. However, a bigger threat has been discovered and security experts have dubbed it Stagefright 2.0.
The same mobile security firm that uncovered Stagefright in April, Zimperium, has found another media-based vulnerability in Android. Known as Stagefright 2.0, this exploit manifests itself when processing specially crafted MP3 or MP4 files and is prevalent in every Android device since the first version.
The big difference between Stagefright 2.0 and the original vulnerability is the minimal amount of user information an attacker needs to gain access to your phone. While Stagefright required knowledge of your mobile number to launch an attack via MMS, this time you need only visit a website hosting an infected video or audio file. The moment you start the video or audio, an attacker can gain access to everything inside your phone.
Google originally fixed the Stagefright issue with an update to its Hangouts application, and other phone manufacturers with Android reskins also issued fixes. This means that attacks through messaging will be extremely limited, but an attack through a web browser is far harder to prevent.
Zimperium says it alerted Google's Android Security Team to the issue on 15 August. Since then, Google has been hard at work and the upcoming Nexus security update will fix the issue. Interestingly, Zimperium says there's another vulnerability, of which Google is also aware, but it can't disclose exactly what it is until a fix is on the way. While that's a little unnerving, at least nobody can exploit it if they don't know what it is.
While Google has committed to providing regular security updates to Android, and Android Marshmallow promises to offer even more security than before, it is alarming that huge holes are being uncovered in Google's mobile OS.