UPDATED 00:45 EDT / OCTOBER 02 2015

3638971241_cfe7431998_b NEWS

Buggy: new Android Stagefright vulnerability affects nearly every Android device in circulation

Google’s Android team will be feeling under the weather this week with another major security flaw being discovered on the operating system.

The gaping security hole is dubbed “Stagefright 2.0,” the successor to the original Stagefright vulnerability discovered back in August, and affects more than one billion Android devices, pretty much every single Android powered device in circulation.

Joshua Drake, a researcher at Zimperium zLabs discovered the security issue, saying that Stagefright 2.0 consists of two vulnerabilities that manifest when processing specially crafted MP3 audio or MP4 video files.

The main vulnerability which affects most Android devices allows bad actors to target users through an infected mp3 or mp4 file; the vulnerability lies in the processing of metadata within the files, so it’s not even a matter of fully playing a video but merely previewing the song or video to trigger the issue.

According to Drake, the primary attack vendor for  an attack would be via a web browser, where an attacker would try to convince a potential target to visit a URL pointing at an attacker controlled Web site; the attacker could inject the exploit using common traffic interception techniques (MITM) through unencrypted network traffic destined for the browser.

“I cannot tell you that all of the phones are vulnerable, but most of them are,” Drake told Motherboard. “All Android devices without the yet-to-be-released patch contain this latent issue.”

Google assigned CVE-2015-6602 to vulnerability and said that a patch for these new vulnerabilities will be rolled out to users of its Nexus phones on October 5


Operating systems have discovered vulnerabilities from time to time, so there’s nothing new here, but the problem, when it occurs on Android devices, is that it relies on handset makers and/ or telcos to push out patches to users; there is no centralized way to update Android phones, and this leaves more and more people vulnerable when holes like this are discovered.

That said, if you use an Android phone there is no need to panic: there’s no strong evidence that Stagefright 1.0 has ever been taken advantage of, and the same may occur with this new vulnerability, and even then you’d have to be seriously unlucky to be trapped by it.

Image credit: comedynose/Flickr/CC by 2.0

Since you’re here …

Show your support for our mission with our one-click subscription to our YouTube channel (below). The more subscribers we have, the more YouTube will suggest relevant enterprise and emerging technology content to you. Thanks!

Support our mission:    >>>>>>  SUBSCRIBE NOW >>>>>>  to our YouTube channel.

… We’d also like to tell you about our mission and how you can help us fulfill it. SiliconANGLE Media Inc.’s business model is based on the intrinsic value of the content, not advertising. Unlike many online publications, we don’t have a paywall or run banner advertising, because we want to keep our journalism open, without influence or the need to chase traffic.The journalism, reporting and commentary on SiliconANGLE — along with live, unscripted video from our Silicon Valley studio and globe-trotting video teams at theCUBE — take a lot of hard work, time and money. Keeping the quality high requires the support of sponsors who are aligned with our vision of ad-free journalism content.

If you like the reporting, video interviews and other ad-free content here, please take a moment to check out a sample of the video content supported by our sponsors, tweet your support, and keep coming back to SiliconANGLE.