Stagefright is back, this time takes control of Android devices through an infected audio file

Stagefright is back, this time takes control of Android devices through an infected audio file
Zimperium, the team of mobile security experts that has discovered the original Stagefright exploit back in July, has recently announced the discovery of yet another security flaw in Android's multimedia library. If you were feeling protected by the fact that your device has received a patch for the initial Stagefright bug, then this recent development will probably take you out of your comfort zone once again.

In the three months that have passed since the Stagefright exploit was first discovered, the security flaw managed to create a rupture in the entire Android ecosystem. Although Google has patched the bug in a comparatively timely manner, it was up to manufacturers to implement the patch, and up to carriers to send it out to consumer devices. As a result, many smartphones, especially entry-level and mid-range devices still remain vulnerable to the initial Stagefright bug to this day.

With the initial Stagefright vulnerability, attackers could take control over an Android device by sending an MMS containing a malicious video. This time around, Zimperium has discovered a way to hack Android devices through a malicious audio file, encrypted in either the MP3 or the MP4 file formats.

Once again, the trouble is all in the way that Android previews the multimedia files it encounters. For example, if your Android device visits a web page where the malicious audio file is hosted, the OS tries to preview the file. At this point, your device will be infected. Since the vast majority of Android devices use some version of the preview function, there's no limit to the potential magnitude of this new attack. According to the researchers at Zimperium, about 950 million Android devices could be vulnerable to the new Stagefright exploit.

Notified of the new Stagefright security flaw before Zimperium publicly announced the discovery, Google has baked in a patch for this exploit in the October Monthly Security Update for Android, which rolled out to manufacturers on September 10th. Google's own Nexus devices will get the patch on October 5th.

Zimperium says that they have yet to see the exploit being used in the wild, but does that alleviate your paranoia? Drop us a comment in the section below and share your thoughts!

source: Zimperium via The Verge

FEATURED VIDEO

49 Comments

53. Plutonium239

Posts: 1266; Member since: Mar 17, 2015

And down goes the security of the Blackberry Priv.

50. Podrick

Posts: 1285; Member since: Aug 19, 2015

#Malwaregate

40. 99nights

Posts: 1152; Member since: Mar 10, 2015

Not a good year for apple and google. Malware galore.

37. c.hack

Posts: 614; Member since: Dec 09, 2009

I'm actually starting to feel bad for the droidtards with their junkphones. Its like watching mentally deficient people getting mugged. So saaaad.

25. marorun

Posts: 5029; Member since: Mar 30, 2015

I work at a cellshop and i work with business thats have up to 500 devices. Not a single one called me about a deviced infected with this exploit. This show how useless this news is.

28. strudelz100

Posts: 646; Member since: Aug 20, 2014

It doesn't put up a flag on your screen "You are infected!" or anything. Hackers dont advertise their hacks. They use them to victimize people. Or sell them to Governments and corporations so THEY can victimize us instead.

38. marorun

Posts: 5029; Member since: Mar 30, 2015

in fact since android have the abillity to use antivirus and thats a good salerep will recommend one yes its do write on your screen you are infected ( in a matter of speaking ) AVG mobile is easily able to detect stagefright and even block it if its comming from a website. so i repeat. not a single one since 2011 came with an android phone infected BY ANY virus at all no matter what type of virus. ( we do install avg mobile on every android device we sell ) but we had some iphone user came back with strange behavior ( not jailbroken one ) even one was sending link by email to all contact and when the contact opened thats link they got infected ( its was in the iphone 4S days ) Also i would not be surprised thats Apple also give all those info to governements and corporation all big tech company may its be Apple , Google , microsoft ect they all the same for them we are profit machine and nothing else.

60. elitewolverine

Posts: 5192; Member since: Oct 28, 2013

Then you are a small business, and I doubt anyone went to you for a fix. Also AVG has never stated that their protection will stop it on the web. AVG does not stop it from loading into memory, that is the only way to stop it. Even on a page, once it is loaded...your done. Or so it is believed. As well here is AVG's answer to stagefright...not install our app,https://support.avg.com/SupportArticleView?l=en_US&urlname=Stagefright-What-is-it-and-how-do-I-protect-myself I have seen infected phones WEEKLY, from stagefright, to other stuff. In fact, my job is to clean these phones out, hopefully without a master reset. Some of them had an antivirus, still infected. Thankfully for safemode half the time. Don't act like because your 'shop' hasn't had one, means that all of a sudden 1billion devices are safe. You are selling your customers a bridge.

61. AlikMalix unregistered

Moronrun and elitewolverine -- I was really hoping to see you two in a conversation about problems that people bring into your stores with their smartphones. According to moronrun, all iOS are the worst and people should not be buying them... from repair shops to carriers to electronics stores - everyone loves iPhones - since they present least amount of headache... but his Highness moronrun says otherwise.... who to believe, I dont know.

62. elitewolverine

Posts: 5192; Member since: Oct 28, 2013

My job is to exchange devices, well try to fix them first. Most of our issues are probably a ratio of 3:1 for android to ios calls. Right now the biggest issue we are dealing with is the latest iOS update seems to be fing with data on iphones. Having to do all kinds of weird 'fixes' and it works. Other issues are also phone charges at night when they wake up its off and doesn't respond to anything, soft reset fixes it. I am above all a windows nut, I sell androids daily and even recommend them all the time. I also recommend iOS (though harder to justify the price gap). In the end they offer their own take, but to think just cause this guys shop doesn't see a virus that all of a sudden android is safe...hell no, that is a bold face lie. He might not be lying that he doesn't get them in the shop but to act like its no big is a huge...no. Its a billion dollar business for a reason. Heck I am typing this on lunch, this morning I have handled two malware calls, where a black icon with a white ship mimicking the security apps in design were feeding customers fake weblinks asking for password logins, and auto downloading apps they have never asked for. I could also talk about the 4months+ that we dealt with the FBI phone lock, hundreds of issues with that just on our team alone. This type of call for malware popups, to screen size ads, to virus stuff...is a daily issue. iOS not so much.

48. iushnt

Posts: 3191; Member since: Feb 06, 2013

Yaa point to be noted, nothing has happened in my surroundings so far..

23. strudelz100

Posts: 646; Member since: Aug 20, 2014

Meanwhile these same hacker co-ops are offering a $1,000,000 for finding a SINGLE zero-day exploit for iOS 9. Let's repeat that: One Million Dollars for a single hack of iOS 9. I think we have an answer on which OS to use for privacy.

36. marorun

Posts: 5029; Member since: Mar 30, 2015

ios Dev can get there dev priviledge removed if they go and tell about exploit unless its directly to Apple alone. so yeah if i would make millions on apps i would not want to risk it for 1 milion. http://globalnews.ca/news/2241498/ios-9-may-leave-iphone-users-vulnerable-to-passcode-bypass-flaw/ sure its was fixed but thats vulnerability was present day 1 of ios 9. but hey its was not as much told everywhere its funny how tech website will push android vulnerability much more than the one on ios. did you know how many vulnerability they finnaly patched in ios 9? vulnerability thats existed since ios 6 was patched in ios 9. https://www.cvedetails.com/vulnerability-list/vendor_id-49/product_id-15556/Apple-Iphone-Os.html if you need proof.

42. 99nights

Posts: 1152; Member since: Mar 10, 2015

Yep and you're answer is blackberry and windows mobile lol, certainly not apple.

49. RoboticEngi

Posts: 1251; Member since: Dec 03, 2014

And still it took apple 6 months to figure out they had more than 300 malware infected apps in their "secure" app store. How many tools does your iphone have against such attacks?

59. elitewolverine

Posts: 5192; Member since: Oct 28, 2013

300 out of 1.3million....0.02% of apps in the store were affected. Compare that to stuff like this....http://www.pcworld.com/article/2099421/rep​ort-malwareinfected-android-apps-spike-in-the-goog​le-play-store.html Seriously, face it, android by default is less secure because of what it can do. It is both a blessing and a curse, just like Windows. However, this is bigger than a pc exploit, for all one needs is your phonenumber and the default settings when you pull it out of the box...boom.

22. bur60

Posts: 981; Member since: Jul 07, 2014

I have a feeling that this is being blow out of proportion. Stagefright gets a fix and now this comes after? Seems like somebody is damaging Android's image.... Could be wrong tho

35. marorun

Posts: 5029; Member since: Mar 30, 2015

Nope you are right. Apple and microsoft pay security firm to search for exploit then put it all on public website. not 1 android infected by any virus or such came back to my store i work at since 2011. and we sell 50% android device if not more. So yep as usual.

58. elitewolverine

Posts: 5192; Member since: Oct 28, 2013

Then your store is small. I have dealt personally with over 100 infected phones.

21. darkkjedii

Posts: 31816; Member since: Feb 05, 2011

Can't wait to hear from the Big 3 android trolls on this one.

27. strudelz100

Posts: 646; Member since: Aug 20, 2014

Can't wait to hear from the entire PA user base of Android evangelists about the iPhone, on all articles, including those involving only Android. It is impossible to avoid mentioning the iPhone because its the benchmark for Android users as well, whether ya'll deny it or not.

32. darkkjedii

Posts: 31816; Member since: Feb 05, 2011

Y'all? I use both, but prefer iOS ever so slightly.

34. marorun

Posts: 5029; Member since: Mar 30, 2015

I would take ios on the same hardware as last gen android. as long as its will be back 2-5 year in hardware departement i wont get iphone ever. funny thing is i really liked ios up to ios 6.0 then its became more and more unstable. when Job was there he would not lets all those crappy update thats bring load of issue passe.

39. darkkjedii

Posts: 31816; Member since: Feb 05, 2011

Don't know what that has to do with my post, but ok.

41. DoggyDangerous

Posts: 1028; Member since: Aug 28, 2015

bcoz Everyone made money from iOS

45. Zylam

Posts: 1827; Member since: Oct 20, 2010

You know, you think you'll being smart trying to combat Bobby but you're just making yourself and Android phones looks bad. By everyone Bobby means Oems, IOS only has one Oem and it's making billions of dollars every 3 months. The android Oems are either bleeding or just making it to a fee million in profit. Nothing compare to apple. Also everyone's seen the developer charts, they make more money on iOS. I love Android and use all 3, but fandroids like you make all of Android look bad.

54. DoggyDangerous

Posts: 1028; Member since: Aug 28, 2015

Yes, bcoz I made money with iOS. 3.50 cents

43. 99nights

Posts: 1152; Member since: Mar 10, 2015

What about the copious amount of made up apple accounts that troll every single article lol, bobbybuster for example at his usual in first wave of comments. It's ridiculous.

20. xondk

Posts: 1904; Member since: Mar 25, 2014

I must say, these hackers are certainly creative.

12. Michael.Parker

Posts: 273; Member since: Aug 22, 2015

I remember when I used to download movies over torrents I'd occasionally get infected DIVX files causing problems with Windows. And now I've got to worry about the same on Android?

* Some comments have been hidden, because they don't meet the discussions rules.

Latest Stories

This copy is for your personal, non-commercial use only. You can order presentation-ready copies for distribution to your colleagues, clients or customers at https://www.parsintl.com/phonearena or use the Reprints & Permissions tool that appears at the bottom of each web page. Visit https://www.parsintl.com/ for samples and additional information.
FCC OKs Cingular's purchase of AT&T Wireless