Stagefright 2.0 hits while Android users remain "sitting ducks"

New threat leaves a billion users at risk, but analyst finds security patches far too slow

Android users have become "sitting ducks" for hackers, according to a cyber security expert following the discovery of a new Stagefright threat despite millions remaining unprotected from the original bug.

One billion Android devices are at risk from the latest Stagefright vulnerability, which can attack smartphones via song and video files hosted by malicious websites or apps, according to Zimperium Labs, which unearthed the new flaw yesterday after discovering the original Stagefright issue in July.

While Stagefright needed someone's mobile phone number to effect an attack, hackers using Stagefright 2.0 can take control of someone's data and apps via song and video files.

They simply need to persuade their victim to visit a malicious website they control, then preview a media file.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

Alternatively, hackers on the same network as their victim could inject the exploit via a man-in-the-middle attack, and third-party apps like media players and instant messengers could be sabotaged by hackers to carry malicious song or video files.

"The attacker gains a foothold, from which they could conduct further local privilege escalation attacks and take complete control of the device," explained Zimperium.

Mark James, IT security specialist at ESET, said the consequences of such an exploit could be devastating.

"This code could in theory allow them full access to your device enabling them to do whatever they wish," he said. "This could include installing other malware or just harvesting your data for use in identity theft."

But the latest flaw emerged as millions of users remain vulnerable to the first Stagefright threat, which can take over phones' data and apps via malicious picture and video messages.

Google has issued a succession of buggy patches since Stagefright first emerged, but so far only ASUS, HTC, LG, Motorola and Nvidia have adapted those to their own customisations of Android, with luxury phonemaker Vertu now set to follow suit.

Advertisement - Article continues below

Security analyst Graham Cluley told IT Pro: "The appalling way that most Android users are treated in regards to security updates has left them as sitting ducks for attackers."

Google said it plans to issue a patch fixing Stagefright 2.0 on Monday, 5 October, but while Zimperium praised its swift response, others have poked holes in its existing patches for the original Stagefright bug.

Other Android vendors are embarking on their own monthly update cycles, but Cluley criticised the pace at which patches are rolled out to end users.

"It's all very well worrying about this latest version of Stagefright, but what about the many other vulnerabilities that Android users are exposed to because so many of them find it impossible to get their hands on a patch," he said.

Advertisement
Advertisement - Article continues below

Security experts G Data counted 440,267 new Android malware threats 4,900 a day in the first quarter of 2015, a 6 per cent rise on the fourth quarter of 2014.

Meanwhile, a 2014 study by F-Secure found Google's operating system accounted for 97 per cent of all mobile malware that year up from 87 per cent in 2013.

Advertisement - Article continues below

In comparison, iPhone, BlackBerry, Palm and Windows Phone devices accounted for less than one per cent of malware last year.

Patching them is another issue entirely, as vendors must adapt Google's patches for their own, heavily customised, versions of Android.

Trey Ford, global security strategist at Rapid 7, explained: "The carriers have a custom software build, with their own out of box experience' with special licensing agreements, software features and promotions. This process exacerbates an already complex supply chain."

This process means that after Google delivers patches to carriers, it can take another nine to 18 months for the carriers to make the patches available to end users.

A Google spokeswoman told IT Pro: "As announced in August, Android is using a monthly security update process. Issues including the ones Zimperium reported, will be patched in the October Monthly Security Update for Android rolling out Monday, October 5th and will be posted about on our blogs."

Featured Resources

Digitally perfecting the supply chain

How new technologies are being leveraged to transform the manufacturing supply chain

Download now

Three keys to maximise application migration and modernisation success

Harness the benefits that modernised applications can offer

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

The 3 approaches of Breach and Attack Simulation technologies

A guide to the nuances of BAS, helping you stay one step ahead of cyber criminals

Download now
Advertisement

Recommended

Visit/malware/33080/hackers-abuse-linkedin-dms-to-plant-malware
malware

Hackers abuse LinkedIn DMs to plant malware

25 Feb 2019
Visit/security/malware/28083/the-five-best-free-malware-removal-tools
Security

Best free malware removal tools 2019

23 Dec 2019
Visit/security/internet-security/354417/avast-and-avg-extensions-pulled-from-chrome
internet security

Avast and AVG extensions pulled from Chrome

19 Dec 2019
Visit/security/354156/google-confirms-android-cameras-can-be-hijacked-to-spy-on-you
Security

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019

Most Popular

Visit/business-strategy/mergers-and-acquisitions/354602/xerox-to-nominate-directors-to-hps-board-reports
mergers and acquisitions

Xerox to nominate directors to HP's board – reports

22 Jan 2020
Visit/operating-systems/25802/17-windows-10-problems-and-how-to-fix-them
operating systems

17 Windows 10 problems - and how to fix them

13 Jan 2020
Visit/business-strategy/public-sector/354608/uk-gov-launches-ps300000-sen-edtech-initiative
public sector

UK gov launches £300,000 SEN EdTech initiative

22 Jan 2020
Visit/web-browser/30394/what-is-http-error-503-and-how-do-you-fix-it
web browser

What is HTTP error 503 and how do you fix it?

7 Jan 2020