Infected tune: Androids can be hacked through opening song or video, experts say
“Meet Stagefright 2.0, a set of two vulnerabilities that manifest when processing specially crafted MP3 audio or MP4 video files,”says a report from Zimperium, a cybersecurity company specializing in mobile devices.
The first Stagefright exploit was found by Zimperium in April and was publicly announced in July this year. It involved an Android multimedia engine library known as libstagefright, which could be made to execute malicious code via an MMS message. A bug fix was rolled out two days ago after it was reported to Google by the cybersecurity company.
The new exploit affects the same library, but does so via a malicious MP3 or MP4 file played on a webpage. According to Zimperium, the bug is capable of affecting “almost every Android device since version 1.0 released in 2008.”
The risk lies “in the processing of metadata within the files,” say the experts so you can ‘catch the bug’ when you are playing a song or a video.
“Since the primary attack vector of MMS has been removed in newer versions of Google’s Hangouts and Messenger apps, the likely attack vector would be via the Web browser. An attacker would try to convince an unsuspecting user to visit a URL pointing at an attacker controlled Web site.”
We plan to release an update for Stagefright Detector app (containing Stagefright 2) after @Android Nexus Security Bulletin on October 5.— Team zLabs (@zLabsProject) October 1, 2015
Flaws in Android devices, by far the most dominant smartphone operating system in the world, are frequently exposed.
In July, Zimperium uncovered a bug that allows devices to be hacked by simply texting them. The victims don’t even need to be tricked into downloading or opening a bad file – attackers only need to send them a text message for the malware to take hold.
In August, cybersecurity firm FireEye Inc. said that Android devices equipped with a fingerprint sensor are vulnerable to hacker attacks. They can not only bypass the biometric authentication, but even steal the fingerprint data itself, security researchers told a hacker conference.