Bugs in Stagefright series continue to haunt Android and the recently revealed pair of bugs leave over a billion devices vulnerable to remote code execution vulnerability and possibly complete hijack of the device.
Discovered by experts at mobile security firm Zimperium, the two bugs join others in the list that were discovered earlier this year. The company notes in a blog post that its VP of Research Joshua J. Drake continued his research on Android vulnerabilities after discovering vulnerabilities in the Stagefright library in April and as a result he found two more vulnerabilities that could allow attackers to carry out remote attacks against current devices.
The first vulnerability is present in libutils and according to Drake, it impacts almost every Android device out there since version 1.0 was released in 2008. The second vulnerability is present in libstagefright and affects devices running version 5.0 and above. The company says that they have confirmed remote code execution (RCE) impact via libstagefright on Android 5.0 and later.
Drake says that older devices may be impacted if the vulnerable function in libutils is exploited in third party apps, vendor or carrier functionality that are pre-loaded to the phone.
The bugs can be exploited by tricking the user into visiting a site that hosts the specially crafted MP3 or MP4 files.
The vulnerability lies in the processing of metadata within the files, so merely previewing the song or video would trigger the issue. Since the primary attack vector of MMS has been removed in newer versions of Google’s Hangouts and Messenger apps, the likely attack vector would be via the Web browser.
The company revealed that they have already notified Android Security Team about this issue on August 15th and as always the team responded quickly and moved to remediate. They assigned CVE-2015-6602 to the libutils issue but have yet to provide us with a CVE number to track the second issue.
Zimperium zLabs isn’t going to release a proof-of-concept exploit targeting the new vulnerability to the general public. However, once a patch is made available from Google, they will be updating their Stagefright Detector app to detect this vulnerability. The mobile security firm is expecting more vulnerabilities to pop up in the same area.