Stagefright 2.0 Android Exploit Could Put A Billion Devices At Risk

Just a few months ago, security research firm Zimperium announced Stagefright, a worrisome Android vulnerability. Now, the company is taking the wraps off of another vulnerability, dubbed “Stagefright 2.0.”

Joshua J. Drake, the Zimperium zLabs vice president of research who discovered the first vulnerability is also responsible for Stagefright 2.0.  The new Stagefright 2.0 is actually two vulnerabilities. One vulnerability affects most Android devices, according to Zimperium, while the second affects Android 5.0 and newer.

The vulnerabilities are similar to the original Stagefright in that MP4 video files can contain the malicious code necessary to break into your smartphone and give an attacker the freedom to execute code on your phone.

google building 44 lobby
Lobby of Google building 44 in Mountain View, CA. Image credit: Google

There are three ways to implement the attacks, Zimperium writes in its blog. The most likely is that the victim would click a malicious link. Also, the attacker could use “common traffic interception techniques” to put the exploit on the phone. A third option would be a third party app, like a media player.

“The vulnerability lies in the processing of metadata within the file, so merely previewing the song or video would trigger the issue,” writes Zimperium. “Since the primary attack vector of MMS has been removed in newer versions of Google’s Hangouts and Messenger apps, the likely attack vector would be via the Web browser.”

As with the first Stagefright, Zimperium contacted Google and gave it time to consider the information before going public with Stagefright 2.0. “Per usual, they responded quickly and moved to remediate,” Zimperium writes.

Zimperium recently shared the original Stagefright, once it had been patched. As for Stagefright 2.0, zLabs writes on its blog, “At this point, we do not plan to share a proof-of-concept exploit for this new vulnerability with the general public. Once a patch is available, we will update our Stagefright Detector app to detect this vulnerability.”