The Stagefright scare seems to be far from over as Zimperium labs who were the first ones to unearth the vulnerability have reported a Stagefright 2.0 version. This time around the vulnerability is piggy backing on the MP3 audio and also MP4 videos. Curbing the Stagefright menace would most likely be easier this time as we are already familiar with the modus operandi of the Stagefright family.
That being said, Stagefright 2 needs to fool users in opening a webpage as opposed to the more dangerous approach of the first Stagefright which swung into action once an Android user received an infected MMS. The chances are that the exploit might also be spread across through the apps and website popups.
Attacker would convince the users by masking the URL, which would in turn point at an attacker controlled website, the attacker in the same network would inject the exploit by using common traffic interception techniques (MITM) on the unencrypted network traffic.
If you recall, Stagefright got its name from the “libstagefright” library which is used by Android to handle multimedia content but this time around the new Stagefright is also said to affect the libutils library, which is usually associated with third party apps, vendor and also preloaded apps. Since the vulnerability lies in the processing of metadata, a mere preview of the media file will also affect the phone.
The vulnerability can very well manifest in many forms and considering the huge number of user database messaging and social networking apps have, it won’t be difficult for Stagefright 2.0 to spread like a epidemic.
Zimperium has already informed Google and is planning to reveal the proof of concept to the general public only once it is patched. Alternatively, the company will also be updating their Stagefright Detector app so that it can detect the new vulnerability. The only way users could safeguard their devices from Stragefright is by being rigid on accepting the media files from both known and unknown sources, next time your friend sends the link to that viral video don’t hesitate to thrash it off.