Zimperium Security has discovered a new way to exploit Stagefright that isn’t covered by existing software patches.
The new vulnerability works by encoding a malicious program into an audio file, delivered over mp3 or mp4. Once a user previews the file or visits a page where that file is embedded, Android’s audio preview will activate the program, infecting the device.
Stagefright was first discovered in July, the vulnerability allowed attackers to target Android phones over text or MMS, exploiting a weakness in Android’s multimedia preview function.
Google, manufacturers and carriers scrambled to patch the bug, only to have another bug pop up two weeks later, requiring another round of patches. Now, three months after the initial disclosure, it is happening again.
More troubling is the fact that the virus an also be deployed by an attacker on a public Wi-Fi network, potentially enabling a self-replicating or wormed version of Stagefright. Because some version of the preview function exists in most versions of Android, nearly every Android device is susceptible to the bug, although specific implementations vary from version to version.
Android’s mitigation strategies have proved to be not as effective against Stagefright as initially thought. Zimperium hasn’t released a workable exploit for the new bug yet, so Google and its partners will have a head start in patching the bug, but it leaves Android users counting on carriers and manufacturers for yet another critical patch.
Google is currently working to fix the issue in the core Android code, and says a patch will be included in the October Monthly Security Update, provided to partners on September 10th and rolling out to Nexus phones on October 5th.
Android Security has had no reports of active exploitation of the bug so far.
327 total views, 1 views today