Two new critical vulnerabilities in Google’s mobile operating system were found by security researchers who say over 1 Billion Android devices are vulnerable. Devices ranging from Android 1.0 to 5.0 are at risk.
Attackers can exploit these vulnerabilities by lurging an unsuspecting user to visit websites that host malicious MP3 or MP4 binaries. Once the Android victim executes one of the infected files, the device is compromised and vulnerable to remote attack where a malicious hacker can take control, access data, photos, camera and microphone.
StageFright 2.0 Security Advisory
The 1st StageFright 2.0 vulnerability is found in the libutils library and is indexed in the Common Vulnerabilities and Exposures dictionary as CVE-2015-6602, affecting every Android device since 2008. CVE-2015-3876, the second vulnerability impacts Android 5.0 and up. The Android security team as ‘critical’, due to ‘remote privileged code execution.’
Android: More broken
OEMs and wireless carriers are still doing damage control with the first fixes for the StageFright bug, which allowed the execution of potential malicious code via MMS, such as images or video. Now Google has announced all Nexus devices will get automatic security updates each month in addition to regular platform patching to fix StageFright and whatever comes next.
HTC, LG and Sony phones will also receive updates as will Samsung, who just announced its first regular update plan. Samsung said StageFright was the catalyst for the update schedule and acknowledges the importance of time sensitivity in addressing major vulnerabilities.
“The OEM’s are now really understanding and the ecosystem is really understanding how to react more quickly, because we all see that it’s necessary.”
-Adrian Ludwig, Head of Android Security
Anything running android 2.2 or later is vulnerable. That’s almost all of them. According to recent analysis, pre-jellybean phones on Android 2.2 to 4.0.4 are at special risk thanks to inadequate exploit mitigation. Despite new patch efforts from OEMs and carriers Android is so fragmented…there are too many device models to fix. OpenSignal keeps charts of just how many devices and OS versions it encounters. It is doubtful that stagefright patches will get through to the entire ecosystem.