Skip to main content

Stagefright makes a comeback, and more than 1 billion phones are vulnerable


The number of vulnerabilities found in Android’s Stagefright just grew, and this time devices from as far back as Android 1.0 are vulnerable to attack. This first vulnerability, affecting almost every Android device, is in “libutils” — and that’s just one of the vulnerabilities recently discovered by Zimperium. Another vulnerability was found in libstagefright that makes Android devices running software versions later than 5.0 vulnerable as well…

As shared by Zimperium Mobile Security:

Meet Stagefright 2.0, a set of two vulnerabilities that manifest when processing specially crafted MP3 audio or MP4 video files. The first vulnerability (in libutils) impacts almost every Android device since version 1.0 released in 2008. We found methods to trigger that vulnerability in devices running version 5.0 and up using the second vulnerability (in libstagefright). Google assigned CVE-2015-6602 to vulnerability in libutils. We plan to share CVE information for the second vulnerability as soon as it is available.

This is definitely going to be just a bunch of confusing technical jibber-jabber to most, but it’s really pretty simple: There are a couple of vulnerabilities that appear when Android processes the metadata of certain MP3 and MP4 files. Thankfully, Google has fixed MMS vulnerabilities in their newest versions, and attackers have to go with something a little more complex this time. Zimperium suggests that the web browser is the most likely medium of attack now.

While you probably shouldn’t panic, the Android phone you own — which you might be reading this article on, in fact — is certainly vulnerable. The original Stagefright vulnerabiltiy, however, was part of many factors that pushed Google to step in and start doing monthly security updates for Android. If you have a Nexus device, you’ll probably get the update to fix this bug first, while owners of other Android phones will be down the line.

Google hasn’t actually recognized this vulnerability yet, and definitely hasn’t announced plans to fix it, but it’s almost certainly in the pipeline. That’s why they’re doing these monthly security updates (and giving those running Marshmallow a date that their device is secure to), right? Google pushed the last one on September 8th, so I assume that they’re getting read to push another in the next week or so. Whether or not it includes fixes for “Stagefright 2.0” is still to be seen.

FTC: We use income earning auto affiliate links. More.

You’re reading 9to5Google — experts who break news about Google and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Google on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel



Avatar for Stephen Hall Stephen Hall

Stephen is Growth Director at 9to5. If you want to get in touch, follow me on Twitter. Or, email at stephen (at) 9to5mac (dot) com, or an encrypted email at hallstephenj (at) protonmail (dot) com.