A new Stagefright vulnerability has been discovered and this time it looks even scarier

It seems the Stagefright storm hasn't quite passed after all. As most of you might remember, a few months ago a scary vulnerability in one of Android's core multimedia libraries was uncovered and found to affect almost every device powered by Google's OS, as early as 2.2 Froyo. Since then, there have been no reports of an actual exploit utilizing the bug, but, naturally, it gave the whole industry quite a scare, triggering a quick reaction from many OEM's like Motorola and Samsung, who issued emergency fixes.

Just when we thought troubles had passed, Zimperium, the same security company that shed light on the initial vulnerability, now warns of two new bugs that have been found in the very same Android Stagefright component. According to the official description, the new duo of vulnerabilities can be exploited with specially crafted MP3 and MP4 files. The first is found in a function within libutils and could impact nearly any Android build, as early as Android 1.0. The second one, however, might be even more frightening, as it relates to a hole in libstagefright and allows for injecting malicious code and gaining root access on devices running Android 5.0 Lollipop and up.

This new announcement seems to render a large chunk of the existing Stagefright emergency patches powerless and is troubling, since we were left with the impression that no new builds of Android would be affected any more. The existing measures, however, are far from useless, as they seem to have patched the previous MMS delivery method almost completely. If a hacker were to use these new back doors, it would theoretically have to be through the Web browser, either by methods of phishing, malicious apps and ads of even a man in the middle attack if the devices are on the same network.

Now that we are all sufficiently scared, here's the good news. First and foremost, like the original Stagefright vulnerability, it is unlikely that this new batch will ever be used in an actual exploit, especially since Joshua J. Drake of Zimperium, largely responsible for uncovering the issues, has decided to be extra cautious this time around and not share a proof-of-concept exploit for this new vulnerability with the general public. Even the company's original Stagefringt detector app will receive an update to pick up the new threat only after Google has developed a patch.

All things considered, we, as end-users, shouldn't really feel worried at this point.

Source | Via