New round of Stagefright security exploits found in Android

Print Version
Share to a friend

Android has had a number of security scares over the years, but the Stagefright bug that was

made public over the summer spurred Mountain View to action like never before.

Patches have already rolled out for that bug, but now security firm Zimperium has announced a

second round of Stagefright exploits that aren’t covered by the first patch. Zimperium researcher and

VP Joshua Drake says the new Stagefright vulnerability is as dangerous as the first.

The good news? Google already has patches ready to go.

Despite the scary name, Stagefright isn’t actually the name of an exploit.

It refers to the multimedia engine library in Android known as libstagefright.

The new vulnerability in Stagefright is similar to the first one, but the attack vector is different.

Stagefright 1.0 relied upon MMS messages to trigger processing of a malicious media file by Stagefright.

This could theoretically be used to run arbitrary code on the device.

The new issue involves targeting devices via web pages hosting the malicious media files (an MP3 or MP4).

The effect is the same — the attacker can run code via the Stagefright library on your device.


The new Stagefright bug actually involves two system components, one of which is libstagefright.

The relevant bug for this one was only introduced in Android 5.0, so the headlines claiming a billion

affected devices are only telling half the story. Stagefright 2.0 involves libstagefright making a call

to a library called libutils in a vulnerable way — that’s the core of the exploit.

The libutils library has been in Android since 1.0, so every device has this bug.

It’s possible that other system components could make a similarly dangerous API call, so it still needs

to be patches ASAP. However, Stagefright 2.0 in its current form is technically only dangerous on Android 5.0

and higher.

Google was notified by Zimperium in advance of the vulnerability and has developed patches that will be

rolled out in the October 5th Nexus update. That’s also the update that brings Android 6.0 to Nexus devices,

so all builds of Marshmallow should have this vulnerability patched. Other Android devices need to wait on

updates from the OEMs and carriers, but Samsung and LG have already pledged to push out security updates

on a monthly basis. This has always been the problem with Android security patches, but it should be a

little better this time around.

In the meantime, should you panic? Just like the first Stagefright exploit, there’s no evidence this

vulnerability has ever been used in the wild. It’s important to realize that Stagefright itself isn’t

harmful to your device, it’s just a potential way in. An attacker still needs code that does something

to the device, be that steal data or gain root access on the system. These are very difficult exploits

to uncover in Android these days.

The Stagefright bug isn’t pretty, but the sky is not falling.