Despite a patch released two months ago by Google and several Android smartphone manufacturers to secure the phones from the Stagefright bug which had affected about a billion Android-powered devices, still security experts warn against fool-proof system.
The Stagefright bug allows an attacker to take over an Android device by sending an MMS message, the Stagefright 2.0 allows an attacker to cripple the device using mp3 or mp4 files.
If a user visits a website that hosts an infected song or video file and previews the said media content, the vulnerability in Android operating system allows an attacker to gain access to the device and run remote code. An attacker could attain full access to a victim’s device, and install malicious programs and learn personal information from it.
“The first vulnerability (in libutils) impacts almost every Android device since version 1.0 released in 2008. We found methods to trigger that vulnerability in devices running version 5.0 and up using the second vulnerability (in libstagefright),” said Zimperium, the security firm which discovered the original Stagefright vulnerability.
The new Stagefright 2.0 bug is even more alarming gets access and take over an Android device without knowing the number even. The first version required an attacker to first know your mobile number, as a text was needed to be sent to your device. Due to its nature, the new bug doesn’t need an attacker to know your mobile number even, making your device more vulnerable.
Google was notified about it in August, and the company flagged it as a “critical vulnerability” but no patch has been rolled out so far.