Skip to main content

What you need to know about Stagefright 2.0

The past couple of months have been filled with a lot of uncertainty surrounding a series of issues popularly named Stagefright, a name earned because most of the issues found have to do with libstagefright in Android. The security firm Zimperium has published what they are calling Stagefright 2.0, with two new issues surrounding mp3 and mp4 files that could be manipulated to execute malicious code on your phone.

Here's what we know so far, and how to keep yourself safe.

What is Stagefright 2.0?

According to Zimperium, a pair of recently discovered vulnerabilities make it possible for an attacker to present an Android phone or tablet with a file that looks like an MP3 or MP4, so when the metadata for that file is previewed by the OS that file could execute malicious code. In the event of a Man in the Middle attack or a website built specifically for delivering these malformed files, this code could be executed without the user ever knowing.

Zimperium claims to have confirmed remote execution, and brought this to Google's attention on August 15. In response, Google assigned CVE-2015-3876 and CVE-2015-6602 to the pair of reported issues and started working on a fix.

Is my phone or tablet affected?

In one way or another, yes. CVE-2015-6602 refers to a vulnerability in libutils, and as Zimperium points out in their post announcing the discovery of this vulnerability it impacts every Android phone and tablet going back as far as Android 1.0. CVE-2015-3876 affects every Android 5.0 and higher phone or tablet, and could theoretically be delivered via website or man in the middle attack.

HOWEVER.

There are currently no public examples of this vulnerability ever having been used to exploit anything outside of lab conditions, and Zimperium is not planning to share the proof-of-concept exploit they used to demonstrate this issue to Google. While it's possible someone else could figure this exploit out before Google issues a patch, with the details behind this exploit still being kept private it's unlikely.

What is Google doing about this?

According to a statement from Google, the October Security Update addresses both of these vulnerabilities. These patches will be made in AOSP and will roll out to Nexus users starting October 5th. Eagle eyed readers might have noticed the Nexus 5X and Nexus 6P we looked at recently already had the October 5th update installed, so if you pre-ordered one of those phones your hardware will arrive patched against these vulnerabilities. Additional information on the patch will be in the Android Security Google Group on October 5th.

As for non-Nexus phones, Google provided the October Security Update to partners on September 10th, and has been working with OEMs and carriers to deliver the update as soon as possible. If you take a look at the list of devices patched in the last Stagefright exploit, you've got a reasonable picture of what hardware is being considered a priority in this process.

How do I stay safe until the patch arrives for my phone or tablet?

In the event that someone really is running around with a Stagefright 2.0 exploit and trying to infect Android users, which again is highly unlikely due to the lack of public details, the key to staying safe has everything to do with paying attention to where you're browsing and what you are connected to.

Avoid public networks when you can, rely on two-factor authentication whenever possible, and stay as far away from shady websites as you possibly can. Mostly, common sense web stuff for keeping yourself safe.

Is this the end of the world?

Not even a little bit. While all of the Stagefright vulnerabilities are indeed serious and need to be treated as such, communication between Zimperium and Google to ensure these issues are addressed as quickly as possible has been fantastic. Zimperium has rightly called attention to problems with Android, and Google has stepped in to fix. In a perfect world these vulnerabilities wouldn't exist, but they do and are being addressed quickly. Can't ask for much more than that, given the situation we're in.

Russell is a Contributing Editor at Android Central. He's a former server admin who has been using Android since the HTC G1, and quite literally wrote the book on Android tablets. You can usually find him chasing the next tech trend, much to the pain of his wallet. Find him on Facebook and Twitter

68 Comments
  • Thanks for the update. Posted via the Android Central App
  • Keep in mind, that almost ANY modern OS will have SOME kind of flaw or exploit; it´s not like the "crack-proof" days of the Atsri 800... (I ran a dial-up BBS in those days, and offered a crisp $100 bill to anyone who could prove they had been able to "break into" my system, & in over 4 years, with a rotating base of 250-300 registered users, with about 150 or so "active" at any given time, not 1 person even TRIED to claim that prize, because the OS was as "bulletproof" as the BBS program that was crammed into that data-box. The "malware" problems didn't start until some "genius" decided to put the OS on the system disk, instead of keeping it in ROM, where it belonged. Having known someone who wrote Operating Systems for Lucent Technologies, he commented that "A modern OS is becoming almost impossible to write, because it's expected to do too much with too little hardwired security."
    Just something for "early adopters" to keep in mind.
    (My favorite "hack-proof" "do-everything" setup was a Motorola ST-7868 phone velco'd to the back of an HP Jornada-545.)
  • ...And these "glass keyboards" make typo's too easy; I much prefer "voice-to-text" systems over a "glass cockpit", tho I always WAS a "stick-&-rudder" type, myself.
  • And no, it's not just android that has vulnerabilities. I read their websites, and there are tons of iOS remote attack exploits, but the difference is that iOS phones are updated regularly. So, Google needs to figure out a way to patch these quicker. Damn, C/C++ were evil. Still haunting us today. (I know, it's not the tool, it's the tool's user. But if even Google engineers can leave exploits using those languages, imagine lesser engineers.)
  • I think you put Google's engineers on too high a pedestal.
  • Can you please provide a link to the list there for IOS ? Could be interesting.
  • WTF? C is evil? and Java is good right? maybe Linus should use Python and Perl for the Kernel instead of C. it'll run so much faster and be soooo much more secure. and at the same time cleanup their stupid mistakes of not releasing memory the correct way if at all. GC is wonderful.
  • If the people who write this, er, "stuff", would give up the "higher-level languages" & everyone went back to using nothing but assembler, a.k.a. "machine code", there wouldn't be all of the problems there are now, we wouldn't need "patches", & everything would have scads of extra memory available. Try it, you might just like it!
    :)
  • True. Most of the phones won't see this fix anytime soon via AC App on
    VZW Moto X DE/N7
  • "Google needs to figure out a way to patch these quicker." Google Play Services as a layer between many apps and the OS serves as a quick way to send out bug fixes, performance improvements, and security fixes of many natures.
  • Google services updates hundreds of times a day, without your knowledge. Posted via the Android Central App
  • "hundreds of times a day" might be a bit of a stretch, but yes, it updates automatically for many things.  Unfortunately, this "libstagefright" library is part of the core AOSP and cannot be patched via Play Services. Even still, this will give us a chance to see if the OEM's where just blowing smoke with their promises to start issuing "monthly" security updates to all current devices.
  • iOS had major vulnerabilities of affecting every one of their devices through apps in their appstore with malware. An ex NSA engineer, was an iOS developer tried to bring it to apple's attention several times. Then created a YT video after apple ignored him. Then apple banned him from the appstore and developing after the info became public and the fact apple ignored him. Think it was either a Wired or Verge article.
  • Man, I just updated my wife's note for the last one. It''s so annoying updating rooted Samsung phones...
  • I know (regarding root). I went back to stock specifically for this reason. I don't really miss anything from root except writing to the microSD. And the latest AEL kernel was kicking butt.
  • Some phones come with a file manager that writes to the sd card (HTC does). 3rd party file managers like ES file explorer need root to do this, but not the oem manager. Guess it depends on the manufacturer. Posted via the Android Central App
  • I kept my Note 4 stock. I need those updates and the ability to use mobile payments like Android Pay. I'm not losing it on much, whenever I need to do things on my external sdcard I just use the Samsung File Manager.
    Download to internal storage then manually move the files myself. Galaxy Note 4 {Sprint 5.1.1}
    3-day Power with a 9600mAh Extended Battery.
  • 9600mah. Holy cow. I'm not sure what the stock battery for the Samsung Note 4 Edge is. I think maybe 2800mah , or 3000mah. So do they make a bigger mah battery for my Note 4 Edge. You can email me at cwvines1971@yahoo.com with any info. Thanks.
  • Annoying would be an understatement.
  • What's annoying about it?
  • "Is my phone or tabled affected?"
    I hope none of my Tabled are affected!
  • Just get rid of smartphones. Go back to old fashioned Night At The Roxbury phones. Posted via The Next Big Thing. My Samsung Galaxy Note 5!
  • Or perhaps buy a BlackBerry? Posted via Android Central App
  • Yeah. Nobody would write malicious code for the Blackberry. There's not enough install base to make it worth their while. Brilliant!
  • Don't panic. Google is on top of it and the most important thing for Android phone users is to never lose faith in Google. They own the future and they have top men working on this. You here that? Top men!;)
  • You mean the PANIC ATTACK EXPLOIT lol Posted via the Android Central App
  • When do AOSP based ROMs get these patches (I.e. CyanogenMod users)? Probably the next nightly after Google pushes to AOSP? Posted via the Android Central App
  • The short answer would be "whenever Cyanogen brings the code change into CM."  Unfortunately, Google has no control over what anyone else does after they deploy new code to the AOSP repository.  I would imagine that Cyanogen will be looking to get the fixes incorporated pretty quickly, though.
  • I'm pretty sure the CM devs would implement any sort of security fix as soon as they find the set of code. Tis just up to the device maintainers to distribute it to the respective CM builds. Cynicism Evolved
  • In my opinion, the telecoms should consider themselves obligated to patch their users phones, or at least allow them to be patched by Google. Via the Moto X Classic
  • Google *can't* patch devices made by other OEM's, but I do agree that there should be something to prevent the carriers from "blocking" updates that the OEM's put out.  When I had my Galaxy Tab 2, every other version of that tablet in the world had the 4.3 update except Sprint's carrier-branded version.  That tells me that Sprint was "sitting" on the update.
  • I am one week into my first Nexus experience, the N6. Looking forward to finally being one of the first people to get an update
  • *yawn* Posted via Android Central App
  • You need to go lie down while the adults talk. You are sleepy.
  • Goes all the way back to Android 1.0!? Apple fanboys are going to have fun with this one. Posted via the Android Central App
  • That's right, you can write an exploit that works on all versions of Android, from 1.0 to 6.0. Android fragmentation my ass!
  • lol.  Never mind the remote execution exploit in iOS 8 that allowed hackers to execute malicious code on any iPhone just by being in the same room.  Exploit still exists in 8.x, actually.  Apple just patched it in iOS 9 and recommended that everyone update.
  • Looks serious and it's good that Google is patching it. Hope they don't overblow this one. Here lies the "2016 Flagship Killer". It got slayed by 2015 flagships like the LG G4 being used to post this.
  • This is ridiculous.. The first time around was bad, but understandable. This time, this is unacceptable. Strike 3 you're out Google .. Get it together
  • The whole design needs a complete overhaul. They have to build software su it can be patched up under any skin on top. This one is on Google not OEMs via AC App on
    VZW Moto X DE/N7
  • They should implement an Android Nexus partners program that basically functions like Android Wear. No more skins & no more nonsense and gimmicks. They can keep the existing model currently in place but add a program where manufacturers just make the hardware and Google controls the software. We all know the benefits of that already so no need to explain. I'm sick of depending on the Nexus line to provide these dependable device and Google continues to not understand what it's customers want. We need more stock android choices. Moto is close, but they've been slacking with updates with their new owners.. This strategy would propel Android in a meaningful way. And they address any issues rapidly.
  • Funny you say that, because didn't EVERY innovation in smartphones happen because OEMs thought outside of the box?? Without OEMs and their "gimmicks" Android as a whole would be rather bland and stagnant... Hell Samsung has single handedly changed the phone market and was first with nearly everything.. If Google can keep the "core" separate and update like a service, that would be far more ideal..
  • They could have collectively added these features via meetings with Google and bake it in so all the devices get the features. Having each do their own thing helps no one, not even themselves. Android is confusing to most because device makers are on a ffa. And now it's so heavily fragmented many will never try Android again. The only reason Samsung is so successful is because they advertise. A lot.. And they can afford to take losses.
  • Google gives away Android for free as open source code.  There is no possible way to limit what anyone does with it. I have never *ever* heard a single "normal" person use the term "fragmentation" when talking about cell phones.  I have spoken with several friends who were in the market for a new cell phone who ended up with a Samsung phone, even when I recommended another device over it.  The dirty little secret is that "normals" like all those "gimmicks" being listed on the tag.  They may never use 1/3 of the features, but they feel like the device is more sophisticated with all those little bells and whistles.  That is, in a nutshell, the nature of the "uneducated" consumer. The uneducated consumer looking to buy a new "flagship" device generally falls into one of two groups: they go with the iPhone, because they know people who have them and someone told them it's the best or easiest. they go with a Samsung phone because they know people who have them and like them, and they list the most "features" of the other Android phones.
  • "Funny you say that, because didn't EVERY innovation in smartphones happen because OEMs thought outside of the box??" Quite simply, no.
  • So glad I returned to the Nexus line. I'm not worried one bit.
  • +10,000,000 Posted via the Android Central App
  • Agreed. But this is getting out of hand.
  • Well blackberry may get a long time customer back....this is unacceptable. Posted via the Android Central App
  • The security breaches on Android and Apple just keep coming. I have an Android Tablet I use for reading and entertainment. My mobile phones used in running my business (Passport, Z30 and Z10) remain BlackBerry. And stories like this reaffirm my decision to keep using them. Posted via Android Central App
  • My Nexus 5 and 9 will be patched after Monday and my shiny new Nexus 6P will be immune. So glad to use Nexus :) Posted via the Android Central App
  • Everyone should use Nexus
  • My Nexus 6 should be patched also. So glad I have a Nexus. Posted via the Android Central App via My Nexus 6
  • Keep up the good work in getting the correct information out to the people!!!
  • I don't understand why Android software can't be overhauled so that Google delivers all security updates through the Play Store. My Nexus 7 tablet recently stopped working, so I traded it in on a new Samsung Galaxy Tab S2 8.0. My only hesitation in buying the tablet is Samsung's legendary slowness in pushing out updates. But I wanted a tablet with a 7 or 8 in form, so I got it. Here's fingers crossed...
  • Samsung has been a *lot* better about updates in recent years than they used to be.  I wouldn't worry too much.
  • Famous last words - You probably haven't heard about Cyber Crime and Cyber Warfare.
  • A security firm wants to create Panic? Go on... Posted via the Android Central App
  • To create panic just tell most Black Hats in Las Vegas I think it was in 2015 about Stagefright!
  • I'm sorry Russell...but you need to reword that summary paragraph at the end...As long as you're on the magical 'blessed' list...you *might* get this vulnerability patched. However, if you own one of the 100's of other models of Android phones...you're never going to see these patched, and you're absolutely at risk.
  • Aka, if you have a $25 device from some Chinese company that no one had ever heard of before that phone existed, then no, you will probably not get an update.  That said, no body is at risk unless one of the "bad guys" figures out how to do this on their own.
  • Knowledge is usually passed on to people by word and mouth. Why invent the wheel if it has already been invented? For example when at the Black Hat Symposium in Las Vegas if I remember correctly all competent Black Hats would have been aware of the problem and if not how many seconds minutes or hours would you think it would take for most Black Hats to be aware of the problem?
  • I hope Google are quick to get the patch out quickly for Stage Fright 2.0 Posted via the Android Central App via My Nexus 6
  • Why are they calling it Stagefright 2.0 when it affects a different library? Is this like people appending -gate to every scandal? How unoriginal.
  • I don't believe it is a different library.  Just a different part of the library.  I am interested about why they say it does all the way back to Android 1.0, because I thought StageFright was a new media playback library that was introduced with Froyo (2.2).  Maybe I'm remembering incorrectly...
  • Stagefright 4.0 test positive for Android one devices. Thanks to Google Already get patch. Before September
  • relax...
  • Just when I'm thinking of making the jump to Android, this sort of thing happens. And carriers only make things worse - there's always that one carrier in a country that lags behind the others (in Australia it seems to be Telstra).