Internet Security

Stagefright 2.0: New Vulnerabilities Leave a Billion Android Devices at Risk

Written by prodigitalweb


Android Susceptibilities Identical to Original Stagefright

Two of the new Android susceptibilities identical to the original Stagefright bug enable attackers to obtain control of negotiated devices whenever a user views a preview of an .mp3 or .mp4 file. CVE-2015-6602 in libutils and CVE-2015-3876 in libstagefright permit remote code execution on any Android devices which leads to a privilege rise.

This provides the attacker total control of the compromised device. The attacker with this privilege of access tends to install malware, stealing information besides various other malicious functions. They can manipulate these flaws by developing malicious .mp3 audio files as well as .mp4 video files, alluring users to preview a song or video on an affected Android device.

Though Google had patched Stagefright so that it does not automatically processes crafted messages, there are possibilities for attackers to manipulate Stagefright through the mobile browser. Stagefright 2.0 vulnerabilities could be exploited through man-in-the middle attacks as well as through third party applications which may use Stagefright.


The updates for CVE-2015-6602 and CVE-2015-3876 are not presently made available, however Google has made note of these issues and will be patching it in its October Monthly Security Update very soon.

All Current Android Vulnerable to Two New Flaws

While Google has intentions of pushing updates, they may not make it to the affected devices since the carriers as well as the manufacturers are yet to distribute them. Google has informed that on September 10, patches had been provided to partners and the company has been working with OEMs as well as carriers in delivering the updates as early as possible.


There is a possibility that all current Android device could be vulnerable to the two new flaws wherein CVE-2015-6602 tends to affect most of the Android devices since version 1.0 and CVE-2015-3876 could affect any device running version 5.0 or higher.Josh Drake of Zimperium zLab had discovered the vulnerabilities and had informed the Android Security Team in August.


Zimperium had not made their proof of concept available to the general public for the flaws. When Drake had published the details about the critical Android vulnerabilities in the Stagefright media playback engine, he had promised that there would be more problems that he and the others would discover and report to Google’s Android security team.

Outbreak Course – Mobile Browser

Drake, Vice President of platform research and exploitation at Zimperium, had disclosed two more flaws in Stagefright, one of which dates back to the first version of Android and the second which was introduced in Android 5.0.


The bugs tend to affect over a billion Android devices, fundamentally all are in circulation. Stagefright 1.0 was exploited through a particularly created MMS message which at that point of time was automatically processed by Stagefright. The patch carried out by Google meant that Stagefright no longer does so especially in new versions of Google’s Messenger and Hangouts apps.


In the case of Stagefright 2.0, Avraham states that the most logical outbreak course would be the mobile browser where the users are tricked by the attackers through phishing or malvertising to visit a URL hosting the activity.Users need to proceed cautiously till a patch is applied while using the mobile browser to preview unwanted audio and video files. Android users are recommended to use any security updates issued by their carrier or device manufacturers whenever they are made available.



About the author