Just one song or video can hack billions of Android smartphones
Playing a particular song can allow the hacker to get in and steal data
A security research firm has discovered a new vulnerability in media processing by Android devices which could infect over a billion handsets with just a MP3 or MP4 media playback. Stagefright 2.0 is a set of two vulnerabilities that manifest when processing a specially crafted MP3 audio or MP4 video file. Using this vulnerability, the hacker can get into your device in the background and steal your data.
According to Zimperium zLabs, the first vulnerability impacts almost all Android devices released since 2008 and the second can infect all devices with Android 5.0 and higher.
What is the impact of this issue?
Confirmed remote code execution (RCE) impact via libstagefright on Android 5.0 and later.
Older devices may be impacted if the vulnerable function in libutils is used (using third party apps, vendor or carrier functionality pre-loaded to the phone).
What is the vulnerability?
Processing specially crafted MP3 or MP4 files can lead to arbitrary code execution.
How the attack can be triggered?
The vulnerability lies in the processing of metadata within the files, so merely previewing the song or video would trigger the issue. Since the primary attack vector of MMS has been removed in newer versions of Google’s Hangouts and Messenger apps, the likely attack vector would be via the Web browser.
An attacker would try to convince an unsuspecting user to visit a URL pointing at an attacker controlled Web site (e.g., mobile spear-phishing or malicious ad campaign)
An attacker on the same network could inject the exploit using common traffic interception techniques (MITM) to unencrypted network traffic destined for the browser.
3rd party apps (Media Players, Instant Messengers, etc.) that are using the vulnerable library.
For now, Google has patched the bug in both apps, but some older app versions for Android are yet to be pushed.
Read the entire research on Zimperium.