Stagefright Returns To Attack Android Audio Files

The security researchers who first discovered the Stagefright bug, which was described as “worse than Heartbleed” and was thought to affect millions of Android smartphones, are now warning that it has staged an unwelcome return.

Stagefright 2.0, which exploits a flaw with audio (music) files, could allow hackers to take over a devices, could possibly affect more than one billion Android smartphones and tablets around the world, Zimperium zLabs warned.

Audio Flaw

The first time around, when an Android device received a MMS message containing video, the affected versions of Android automatically create a preview of the video using Stagefright. That flaw meant that a specially crafted message could trigger a memory corruption vulnerability in that library, giving an attacker sufficient privileges to execute arbitrary code.

But now Zimperium’s Joshua J. Drake has warned in a blog posting that Stagefright 2.0 his continued research of the media processing in Android has led to the discovery of yet another security issue.

Hacker can now hack Android devices by tricking unsuspecting users into visiting a website that contains a malicious multimedia file (either MP3 or MP4). When the user previews the infected song or video file it could enable the attacker to gain access to their mobile device and run remote code.

This flaw even affects devices running the latest Android OS (Android 5.0 Lollipop or Android 6.0 (Marshmallow).

“Meet Stagefright 2.0, a set of two vulnerabilities that manifest when processing specially crafted MP3 audio or MP4 video files,” wrote Zimperium. And the researchers confirmed that “processing specially crafted MP3 or MP4 files can lead to arbitrary code execution.”

“The vulnerability lies in the processing of metadata within the files, so merely previewing the song or video would trigger the issue,” warned the researchers. “Since the primary attack vector of MMS has been removed in newer versions of Google’s Hangouts and Messenger apps, the likely attack vector would be via the Web browser.”

For example, the attacker could point an unsuspecting Android user to a URL that points at an attacker controlled Website (e.g., mobile spear-phishing or malicious ad campaign). If the attacker were however on the same Wi-Fi network, they could inject the exploit using common traffic interception techniques to unencrypted network traffic destined for the browser.

And it seems that third party apps (Media Players, Instant Messengers, etc.) that are using the vulnerable library, are also a potential attack vector.

“We notified the Android Security Team of this issue on August 15th,” said the researchers. “Per usual, they responded quickly and moved to remediate. They assigned CVE-2015-6602 to the libutils issue but have yet to provide us with a CVE number to track the second issue. We would like to thank Google for their cooperation for promptly including the fix in the upcoming Nexus Security Bulletin scheduled to be released next week.”

The good news for Android users then is that Google has acknowledged the vulnerability and is working on a patch that should start arriving from 5 October.

Expert Take

“The first version of Stagefright required some information, namely your mobile number to be able to send the txt message to your device,” said Mark James, IT Security Specialist at ESET. “This new version does not even need to know any of your information to be successful; merely visiting the website and previewing the malicious file could trigger the use of the vulnerability. This in theory enables a much wider audience and indeed could enable access to over 1 billion android devices.”

James advises caution when web browsing.

“You absolutely have to think before visiting websites, all too often people fail to understand their mobile devices are just as much at risk as their desktops,” said James. “There are so many methods used these days for infecting the unsuspecting end user that you must think twice before clicking that link. We all know there is nothing for free in this world, everything comes at a cost and your private data is worth a lot more than a free music or video file.”

“In June of last year, Google announced they have 1 Billion (with a capital B) active monthly users,” said Trey Ford, Global Security Strategist at Rapid7. “This data point combined with other sites reporting the domination of Android in the mobile market –  the projected scope of impact at 1 billion realistic.

“The advice I give friends and family is to buy handsets that allow for updates directly from the manufacturer,” said Ford. “For those who love Android – buy directly from Google to remove the carrier-introduced delay when Android releases a security patch. For Google, this is an ecosystem problem. Google manages Android, and does a respectable job shipping patches.”

Are you a security pro? Try our quiz!