Android users are facing a compromise if they end up looking at specially crafted files.
After discovering exploitable remote code execution flaws in the Stagefright media library earlier this year, Zimperium researchers also found this hole. They called it Stagefright 2.0.
“The first vulnerability (in libutils) impacts almost every Android device since version 1.0 released in 2008,” researchers said in a blog post. “We found methods to trigger that vulnerability in devices running version 5.0 and up using the second vulnerability (in libstagefright).”
As of now, there are one billion of Android devices affected by the flaw in libutils, but the libstagefright bug is present on around 20 percent of them.
The Stagefright media library end up used by Android to process popular media formats.
The vulnerabilities cannot end up triggered via MMS (as before), but can be via browser or a third-party app that uses the vulnerable library.
Google is aware of the problem and they are already working on a patch. In the meantime, Zimperium researchers won’t be releasing PoC code to the public for the foreseeable future, but they will share it with Zimperium Handset Alliance partners.
Researchers are sure this is not the end of vulnerabilities affecting this library.
“As more and more researchers have explored various vulnerabilities that exist within the Stagefright library and associated libraries, we expect to see more vulnerabilities in the same area,” they said.
Zimperium customers do have protection against attacks exploiting these flaws, but the company said it will update their Stagefright Detector app to detect this vulnerability as soon as Google comes up with a patch which could be as early as next week.