Stagefright 2.0 hits while Android users remain "sitting ducks"

New threat leaves a billion users at risk, but analyst finds security patches far too slow

Android users have become "sitting ducks" for hackers, according to a cyber security expert following the discovery of a new Stagefright threat despite millions remaining unprotected from the original bug.

One billion Android devices are at risk from the latest Stagefright vulnerability, which can attack smartphones via song and video files hosted by malicious websites or apps, according to Zimperium Labs, which unearthed the new flaw yesterday after discovering the original Stagefright issue in July.

While Stagefright needed someone's mobile phone number to effect an attack, hackers using Stagefright 2.0 can take control of someone's data and apps via song and video files.

They simply need to persuade their victim to visit a malicious website they control, then preview a media file.

Alternatively, hackers on the same network as their victim could inject the exploit via a man-in-the-middle attack, and third-party apps like media players and instant messengers could be sabotaged by hackers to carry malicious song or video files.

"The attacker gains a foothold, from which they could conduct further local privilege escalation attacks and take complete control of the device," explained Zimperium.

Mark James, IT security specialist at ESET, said the consequences of such an exploit could be devastating.

"This code could in theory allow them full access to your device enabling them to do whatever they wish," he said. "This could include installing other malware or just harvesting your data for use in identity theft."

But the latest flaw emerged as millions of users remain vulnerable to the first Stagefright threat, which can take over phones' data and apps via malicious picture and video messages.

Google has issued a succession of buggy patches since Stagefright first emerged, but so far only ASUS, HTC, LG, Motorola and Nvidia have adapted those to their own customisations of Android, with luxury phonemaker Vertu now set to follow suit.

Security analyst Graham Cluley told IT Pro: "The appalling way that most Android users are treated in regards to security updates has left them as sitting ducks for attackers."

Google said it plans to issue a patch fixing Stagefright 2.0 on Monday, 5 October, but while Zimperium praised its swift response, others have poked holes in its existing patches for the original Stagefright bug.

Other Android vendors are embarking on their own monthly update cycles, but Cluley criticised the pace at which patches are rolled out to end users.

"It's all very well worrying about this latest version of Stagefright, but what about the many other vulnerabilities that Android users are exposed to because so many of them find it impossible to get their hands on a patch," he said.

Security experts G Data counted 440,267 new Android malware threats 4,900 a day in the first quarter of 2015, a 6 per cent rise on the fourth quarter of 2014.

Meanwhile, a 2014 study by F-Secure found Google's operating system accounted for 97 per cent of all mobile malware that year up from 87 per cent in 2013.

In comparison, iPhone, BlackBerry, Palm and Windows Phone devices accounted for less than one per cent of malware last year.

Patching them is another issue entirely, as vendors must adapt Google's patches for their own, heavily customised, versions of Android.

Trey Ford, global security strategist at Rapid 7, explained: "The carriers have a custom software build, with their own out of box experience' with special licensing agreements, software features and promotions. This process exacerbates an already complex supply chain."

This process means that after Google delivers patches to carriers, it can take another nine to 18 months for the carriers to make the patches available to end users.

A Google spokeswoman told IT Pro: "As announced in August, Android is using a monthly security update process. Issues including the ones Zimperium reported, will be patched in the October Monthly Security Update for Android rolling out Monday, October 5th and will be posted about on our blogs."

Featured Resources

Unlocking collaboration: Making software work better together

How to improve collaboration and agility with the right tech

Download now

Four steps to field service excellence

How to thrive in the experience economy

Download now

Six things a developer should know about Postgres

Why enterprises are choosing PostgreSQL

Download now

The path to CX excellence for B2B services

The four stages to thrive in the experience economy

Download now

Recommended

HackBoss malware is using Telegram to steal cryptocurrency from other hackers
cryptocurrencies

HackBoss malware is using Telegram to steal cryptocurrency from other hackers

16 Apr 2021
Mastering endpoint security implementation
Security

Mastering endpoint security implementation

16 Apr 2021
US, UK say Russia was behind SolarWinds hack
cyber attacks

US, UK say Russia was behind SolarWinds hack

16 Apr 2021

Most Popular

Microsoft is submerging servers in boiling liquid to prevent Teams outages
data centres

Microsoft is submerging servers in boiling liquid to prevent Teams outages

7 Apr 2021
How to find RAM speed, size and type
Laptops

How to find RAM speed, size and type

8 Apr 2021
University of Hertfordshire's entire IT system offline after cyber attack
cyber attacks

University of Hertfordshire's entire IT system offline after cyber attack

15 Apr 2021