We told you this Stagefright business wouldn’t begin and end with the first bug, and that’s becoming more apparent each and every day. A Zimperium Labs research has uncovered yet another vulnerability in the troubled Android multimedia library which could allow a hacker to take control of your phone without much work.
Unlike before where the attack could be triggered by simply sending a video message, this attack mostly requires that the victim clicks on a website where a bogus audio or video file has been planted. “Merely previewing the song or video would trigger the issue,” says Joshua Drake, the research who discovered and reported the bug.
Drake says the bug affects nearly every Android device that has been released since the original G1 in 2008. He says there’s also a second vulnerability that can come into play to affect people up to Android 5.0 Lollipop, though it simply piggybacks the primary bug.
This bug doesn’t sound nearly as bad at first as it requires you to click on something instead of it triggering on its own, but that’s still serious enough that it warrants major attention. And if that isn’t bad enough, if you somehow find yourself on the same public WiFi network (not likely for most people) with an attacker they can trigger the vulnerability by injecting your network traffic with malicious code, completely erasing the need for social engineering.
The researcher has sent the reports and patches to Google, who plans to issue them to Nexus devices in the October edition of the monthly security patches they’re sending out (which is said to be happening October 5th, a likely date for a Marshmallow rollout). Furthermore, the patch was sent to hardware makers as early as September 10th, so the updates should be in their respective updates in due time.
We’ve said it before, and we’ll say it again (and as many times as folks need to hear it before they understand): this isn’t the first bug, and it won’t be the last bug. Even after Google manages to squish all of the ones specifically in Stagefright, even more could pop up. And that’s not to mention all the other areas of the Android OS which may be hiding security holes. The most they can do is address it swiftly as it comes to their attention and do their hardest to get updates out to everyone, and they’ve kept their word on that promise to this point.