What You Need To Know About Stagefright: Google Issues New Patches for Two New Android Vulnerabilities Found

Two new Stagefright vulnerabilities have been found, putting billions of users with devices running on Android OS versions as far back as 2008 at risk.

Stagefright 2.0 can affect devices running Android versions older than Lollipop (5.0 to 5.1.1) through remote code execution, Zimperium said in a report to be published on Thursday, PC World reported. It can be exploited through Web browsers. Zimperium is the same mobile security company that found the first attacks earlier this year.

An advisory from Google says the new flaws have not been exploited by attackers yet, fortunately. According to the researchers, users can be tricked into visiting malicious websites through links in emails, instant messages, or advertisements even in legitimate, reputable sites. Attackers could inject the exploit directly into the Web traffic. The researchers said that attackers could also use third-party media players or instant messaging apps that rely on vulnerable Android library to ready MP3 and MP4 metadata files.

The first round of Stagefright flaws were found in April by Zimperium in a library called Stagefright (where the bug was named after). It was publicly announced last July. A user's device can be compromised through malicious multimedia messages. According to CIO, Joshua Drake, vice president of platform research and exploitation at Zimperium, found the vulnerabilities in a core Android component for processing, playing and recording multimedia files. The MMS attack vector was already closed in newer versions of Google Hangouts and other instant messaging apps.

When the first Stagefright flaws were found, device manufacturers coordinated on a patching effort. Google, Samsung and LG also committed to a monthly security updates from then on.

Zimperium reportedly informed Google about the new flaws on Aug. 15. Yesterday, Oct. 5, Google has issued new patches, PC World reported, as part of its Android Security Bulletin Monthly Release. Google has released a security update to Nexus devices over-the-air. Users can also download the system images (such as LMY48T, LMY48W, Android M) from Google Developers site.

Join the Discussion
Real Time Analytics