Stagefright 2.0 hits while Android users remain "sitting ducks"

New threat leaves a billion users at risk, but analyst finds security patches far too slow

Android users have become "sitting ducks" for hackers, according to a cyber security expert following the discovery of a new Stagefright threat despite millions remaining unprotected from the original bug.

One billion Android devices are at risk from the latest Stagefright vulnerability, which can attack smartphones via song and video files hosted by malicious websites or apps, according to Zimperium Labs, which unearthed the new flaw yesterday after discovering the original Stagefright issue in July.

While Stagefright needed someone's mobile phone number to effect an attack, hackers using Stagefright 2.0 can take control of someone's data and apps via song and video files.

They simply need to persuade their victim to visit a malicious website they control, then preview a media file.

Alternatively, hackers on the same network as their victim could inject the exploit via a man-in-the-middle attack, and third-party apps like media players and instant messengers could be sabotaged by hackers to carry malicious song or video files.

"The attacker gains a foothold, from which they could conduct further local privilege escalation attacks and take complete control of the device," explained Zimperium.

Mark James, IT security specialist at ESET, said the consequences of such an exploit could be devastating.

"This code could in theory allow them full access to your device enabling them to do whatever they wish," he said. "This could include installing other malware or just harvesting your data for use in identity theft."

But the latest flaw emerged as millions of users remain vulnerable to the first Stagefright threat, which can take over phones' data and apps via malicious picture and video messages.

Google has issued a succession of buggy patches since Stagefright first emerged, but so far only ASUS, HTC, LG, Motorola and Nvidia have adapted those to their own customisations of Android, with luxury phonemaker Vertu now set to follow suit.

Security analyst Graham Cluley told IT Pro: "The appalling way that most Android users are treated in regards to security updates has left them as sitting ducks for attackers."

Google said it plans to issue a patch fixing Stagefright 2.0 on Monday, 5 October, but while Zimperium praised its swift response, others have poked holes in its existing patches for the original Stagefright bug.

Other Android vendors are embarking on their own monthly update cycles, but Cluley criticised the pace at which patches are rolled out to end users.

"It's all very well worrying about this latest version of Stagefright, but what about the many other vulnerabilities that Android users are exposed to because so many of them find it impossible to get their hands on a patch," he said.

Security experts G Data counted 440,267 new Android malware threats 4,900 a day in the first quarter of 2015, a 6 per cent rise on the fourth quarter of 2014.

Meanwhile, a 2014 study by F-Secure found Google's operating system accounted for 97 per cent of all mobile malware that year up from 87 per cent in 2013.

In comparison, iPhone, BlackBerry, Palm and Windows Phone devices accounted for less than one per cent of malware last year.

Patching them is another issue entirely, as vendors must adapt Google's patches for their own, heavily customised, versions of Android.

Trey Ford, global security strategist at Rapid 7, explained: "The carriers have a custom software build, with their own out of box experience' with special licensing agreements, software features and promotions. This process exacerbates an already complex supply chain."

This process means that after Google delivers patches to carriers, it can take another nine to 18 months for the carriers to make the patches available to end users.

A Google spokeswoman told IT Pro: "As announced in August, Android is using a monthly security update process. Issues including the ones Zimperium reported, will be patched in the October Monthly Security Update for Android rolling out Monday, October 5th and will be posted about on our blogs."

Featured Resources

Humility in AI: Building trustworthy and ethical AI systems

How humble AI can help safeguard your business

Download now

Future of video conferencing

Optimising video conferencing features to achieve business goals

Download now

Leadership compass: Privileged Access Management

Securing privileged accounts in a high-risk environment

Download now

Why you need to include the cloud in your disaster recovery plan

Preserving data for business success

Download now

Recommended

What is shoulder surfing?
Security

What is shoulder surfing?

2 Dec 2020
Most Docker container images have critical flaws
containers

Most Docker container images have critical flaws

2 Dec 2020
Security benefits of open virtualised RAN
Whitepaper

Security benefits of open virtualised RAN

2 Dec 2020
Bitdefender debuts cloud-based endpoint detection and response solution
endpoint security

Bitdefender debuts cloud-based endpoint detection and response solution

2 Dec 2020

Most Popular

350,000 Spotify users hacked in credential stuffing attack
Security

350,000 Spotify users hacked in credential stuffing attack

24 Nov 2020
46 million Animal Jam accounts leaked after comms software breach
Security

46 million Animal Jam accounts leaked after comms software breach

13 Nov 2020
Samsung Galaxy Note might be discontinued in 2021
Mobile Phones

Samsung Galaxy Note might be discontinued in 2021

1 Dec 2020