Stagefright 2.0 hits while Android users remain "sitting ducks"

New threat leaves a billion users at risk, but analyst finds security patches far too slow

Android users have become "sitting ducks" for hackers, according to a cyber security expert following the discovery of a new Stagefright threat despite millions remaining unprotected from the original bug.

One billion Android devices are at risk from the latest Stagefright vulnerability, which can attack smartphones via song and video files hosted by malicious websites or apps, according to Zimperium Labs, which unearthed the new flaw yesterday after discovering the original Stagefright issue in July.

While Stagefright needed someone's mobile phone number to effect an attack, hackers using Stagefright 2.0 can take control of someone's data and apps via song and video files.

They simply need to persuade their victim to visit a malicious website they control, then preview a media file.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

Alternatively, hackers on the same network as their victim could inject the exploit via a man-in-the-middle attack, and third-party apps like media players and instant messengers could be sabotaged by hackers to carry malicious song or video files.

"The attacker gains a foothold, from which they could conduct further local privilege escalation attacks and take complete control of the device," explained Zimperium.

Mark James, IT security specialist at ESET, said the consequences of such an exploit could be devastating.

"This code could in theory allow them full access to your device enabling them to do whatever they wish," he said. "This could include installing other malware or just harvesting your data for use in identity theft."

But the latest flaw emerged as millions of users remain vulnerable to the first Stagefright threat, which can take over phones' data and apps via malicious picture and video messages.

Google has issued a succession of buggy patches since Stagefright first emerged, but so far only ASUS, HTC, LG, Motorola and Nvidia have adapted those to their own customisations of Android, with luxury phonemaker Vertu now set to follow suit.

Advertisement - Article continues below

Security analyst Graham Cluley told IT Pro: "The appalling way that most Android users are treated in regards to security updates has left them as sitting ducks for attackers."

Google said it plans to issue a patch fixing Stagefright 2.0 on Monday, 5 October, but while Zimperium praised its swift response, others have poked holes in its existing patches for the original Stagefright bug.

Other Android vendors are embarking on their own monthly update cycles, but Cluley criticised the pace at which patches are rolled out to end users.

"It's all very well worrying about this latest version of Stagefright, but what about the many other vulnerabilities that Android users are exposed to because so many of them find it impossible to get their hands on a patch," he said.

Advertisement
Advertisement - Article continues below

Security experts G Data counted 440,267 new Android malware threats 4,900 a day in the first quarter of 2015, a 6 per cent rise on the fourth quarter of 2014.

Meanwhile, a 2014 study by F-Secure found Google's operating system accounted for 97 per cent of all mobile malware that year up from 87 per cent in 2013.

Advertisement - Article continues below

In comparison, iPhone, BlackBerry, Palm and Windows Phone devices accounted for less than one per cent of malware last year.

Patching them is another issue entirely, as vendors must adapt Google's patches for their own, heavily customised, versions of Android.

Trey Ford, global security strategist at Rapid 7, explained: "The carriers have a custom software build, with their own out of box experience' with special licensing agreements, software features and promotions. This process exacerbates an already complex supply chain."

This process means that after Google delivers patches to carriers, it can take another nine to 18 months for the carriers to make the patches available to end users.

A Google spokeswoman told IT Pro: "As announced in August, Android is using a monthly security update process. Issues including the ones Zimperium reported, will be patched in the October Monthly Security Update for Android rolling out Monday, October 5th and will be posted about on our blogs."

Featured Resources

Transform the operator experience with enhanced automation & analytics

Bring networking into the digital era

Download now

Artificially intelligent data centres

How the C-Suite is embracing continuous change to drive value

Download now

Deliver secure automated multicloud for containers with Red Hat and Juniper

Learn how to get started with the multicloud enabler from Red Hat and Juniper

Download now

Get the best out of your workforce

7 steps to unleashing their true potential with robotic process automation

Download now
Advertisement

Recommended

Visit/malware/33080/hackers-abuse-linkedin-dms-to-plant-malware
malware

Hackers abuse LinkedIn DMs to plant malware

25 Feb 2019
Visit/security/354156/google-confirms-android-cameras-can-be-hijacked-to-spy-on-you
Security

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019
Visit/antivirus/28144/best-antivirus
antivirus

Best antivirus for Windows 10

3 Sep 2019
Visit/security/malware/28083/the-five-best-free-malware-removal-tools
Security

Best free malware removal tools 2019

8 Mar 2019

Most Popular

Visit/operating-systems/microsoft-windows/354297/this-exploit-could-give-users-free-windows-7-updates
Microsoft Windows

This exploit could give users free Windows 7 updates beyond 2020

9 Dec 2019
Visit/security/vulnerability/354309/patch-issued-for-critical-windows-bug
vulnerability

Patch issued for critical Windows bug

11 Dec 2019
Visit/cloud/microsoft-azure/354230/microsoft-not-amazon-is-going-to-win-the-cloud-wars
Microsoft Azure

Microsoft, not Amazon, is going to win the cloud wars

30 Nov 2019
Visit/data-insights/big-data/354311/google-reveals-uks-most-searched-for-terms-in-2019
big data

Google reveals UK’s most searched for terms in 2019

11 Dec 2019