Stagefright is back, this time takes control of Android devices through an infected audio file

Zimperium, the team of mobile security experts that has discovered the original Stagefright exploit back in July, has recently announced the discovery of yet another security flaw in Android's multimedia library. If you were feeling protected by the fact that your device has received a patch for the initial Stagefright bug, then this recent development will probably take you out of your comfort zone once again.

In the three months that have passed since the Stagefright exploit was first discovered, the security flaw managed to create a rupture in the entire Android ecosystem. Although Google has patched the bug in a comparatively timely manner, it was up to manufacturers to implement the patch, and up to carriers to send it out to consumer devices. As a result, many smartphones, especially entry-level and mid-range devices still remain vulnerable to the initial Stagefright bug to this day.

With the initial Stagefright vulnerability, attackers could take control over an Android device by sending an MMS containing a malicious video. This time around, Zimperium has discovered a way to hack Android devices through a malicious audio file, encrypted in either the MP3 or the MP4 file formats.

Once again, the trouble is all in the way that Android previews the multimedia files it encounters. For example, if your Android device visits a web page where the malicious audio file is hosted, the OS tries to preview the file. At this point, your device will be infected. Since the vast majority of Android devices use some version of the preview function, there's no limit to the potential magnitude of this new attack. According to the researchers at Zimperium, about 950 million Android devices could be vulnerable to the new Stagefright exploit.

Notified of the new Stagefright security flaw before Zimperium publicly announced the discovery, Google has baked in a patch for this exploit in the October Monthly Security Update for Android, which rolled out to manufacturers on September 10th. Google's own Nexus devices will get the patch on October 5th.

Zimperium says that they have yet to see the exploit being used in the wild, but does that alleviate your paranoia? Drop us a comment in the section below and share your thoughts!