Additional issues have been found surrounding audio files and libstagefright, but Google's already got a fix underway.
The past couple of months have been filled with a lot of uncertainty surrounding a series of issues popularly named Stagefright, a name earned because most of the issues found have to do with libstagefright in Android. The security firm Zimperium has published what they are calling Stagefright 2.0, with two new issues surrounding mp3 and mp4 files that could be manipulated to execute malicious code on your phone.
Here's what we know so far, and how to keep yourself safe.
What is Stagefright 2.0?
According to Zimperium, a pair of recently discovered vulnerabilities make it possible for an attacker to present an Android phone or tablet with a file that looks like an MP3 or MP4, so when the metadata for that file is previewed by the OS that file could execute malicious code. In the event of a Man in the Middle attack or a website built specifically for delivering these malformed files, this code could be executed without the user ever knowing.
Zimperium claims to have confirmed remote execution, and brought this to Google's attention on August 15. In response, Google assigned CVE-2015-3876 and CVE-2015-6602 to the pair of reported issues and started working on a fix.
Is my phone or tablet affected?
In one way or another, yes. CVE-2015-6602 refers to a vulnerability in libutils, and as Zimperium points out in their post announcing the discovery of this vulnerability it impacts every Android phone and tablet going back as far as Android 1.0. CVE-2015-3876 affects every Android 5.0 and higher phone or tablet, and could theoretically be delivered via website or man in the middle attack.
There are currently no public examples of this vulnerability ever having been used to exploit anything outside of lab conditions, and Zimperium is not planning to share the proof-of-concept exploit they used to demonstrate this issue to Google. While it's possible someone else could figure this exploit out before Google issues a patch, with the details behind this exploit still being kept private it's unlikely.
What is Google doing about this?
According to a statement from Google, the October Security Update addresses both of these vulnerabilities. These patches will be made in AOSP and will roll out to Nexus users starting October 5th. Eagle eyed readers might have noticed the Nexus 5X and Nexus 6P we looked at recently already had the October 5th update installed, so if you pre-ordered one of those phones your hardware will arrive patched against these vulnerabilities. Additional information on the patch will be in the Android Security Google Group on October 5th.
As for non-Nexus phones, Google provided the October Security Update to partners on September 10th, and has been working with OEMs and carriers to deliver the update as soon as possible. If you take a look at the list of devices patched in the last Stagefright exploit, you've got a reasonable picture of what hardware is being considered a priority in this process.
How do I stay safe until the patch arrives for my phone or tablet?
In the event that someone really is running around with a Stagefright 2.0 exploit and trying to infect Android users, which again is highly unlikely due to the lack of public details, the key to staying safe has everything to do with paying attention to where you're browsing and what you are connected to.
Avoid public networks when you can, rely on two-factor authentication whenever possible, and stay as far away from shady websites as you possibly can. Mostly, common sense web stuff for keeping yourself safe.
Is this the end of the world?
Not even a little bit. While all of the Stagefright vulnerabilities are indeed serious and need to be treated as such, communication between Zimperium and Google to ensure these issues are addressed as quickly as possible has been fantastic. Zimperium has rightly called attention to problems with Android, and Google has stepped in to fix. In a perfect world these vulnerabilities wouldn't exist, but they do and are being addressed quickly. Can't ask for much more than that, given the situation we're in.