Android has had a number of security scares over the years, but the Stagefright bug that was
made public over the summer spurred Mountain View to action like never before.
Patches have already rolled out for that bug, but now security firm Zimperium has announced a
second round of Stagefright exploits that aren’t covered by the first patch. Zimperium researcher and
VP Joshua Drake says the new Stagefright vulnerability is as dangerous as the first.
The good news? Google already has patches ready to go.
Despite the scary name, Stagefright isn’t actually the name of an exploit.
It refers to the multimedia engine library in Android known as libstagefright.
The new vulnerability in Stagefright is similar to the first one, but the attack vector is different.
Stagefright 1.0 relied upon MMS messages to trigger processing of a malicious media file by Stagefright.
This could theoretically be used to run arbitrary code on the device.
The new issue involves targeting devices via web pages hosting the malicious media files (an MP3 or MP4).
The effect is the same — the attacker can run code via the Stagefright library on your device.
The new Stagefright bug actually involves two system components, one of which is libstagefright.
The relevant bug for this one was only introduced in Android 5.0, so the headlines claiming a billion
affected devices are only telling half the story. Stagefright 2.0 involves libstagefright making a call
to a library called libutils in a vulnerable way — that’s the core of the exploit.
The libutils library has been in Android since 1.0, so every device has this bug.
It’s possible that other system components could make a similarly dangerous API call, so it still needs
to be patches ASAP. However, Stagefright 2.0 in its current form is technically only dangerous on Android 5.0
Google was notified by Zimperium in advance of the vulnerability and has developed patches that will be
rolled out in the October 5th Nexus update. That’s also the update that brings Android 6.0 to Nexus devices,
so all builds of Marshmallow should have this vulnerability patched. Other Android devices need to wait on
updates from the OEMs and carriers, but Samsung and LG have already pledged to push out security updates
on a monthly basis. This has always been the problem with Android security patches, but it should be a
little better this time around.
In the meantime, should you panic? Just like the first Stagefright exploit, there’s no evidence this
vulnerability has ever been used in the wild. It’s important to realize that Stagefright itself isn’t
harmful to your device, it’s just a potential way in. An attacker still needs code that does something
to the device, be that steal data or gain root access on the system. These are very difficult exploits
to uncover in Android these days.
The Stagefright bug isn’t pretty, but the sky is not falling.