Stagefright 2.0

The past couple of months have been filled with a lot of uncertainty surrounding a series of issues popularly named Stagefright, a name earned because most of the issues found have to do with libstagefright in Android. The security firm Zimperium has published what they are calling Stagefright 2.0, with two new issues surrounding mp3 and mp4 files that could be manipulated to execute malicious code on your phone.

Here's what we know so far, and how to keep yourself safe.

What is Stagefright 2.0?

According to Zimperium, a pair of recently discovered vulnerabilities make it possible for an attacker to present an Android phone or tablet with a file that looks like an MP3 or MP4, so when the metadata for that file is previewed by the OS that file could execute malicious code. In the event of a Man in the Middle attack or a website built specifically for delivering these malformed files, this code could be executed without the user ever knowing.

Zimperium claims to have confirmed remote execution, and brought this to Google's attention on August 15. In response, Google assigned CVE-2015-3876 and CVE-2015-6602 to the pair of reported issues and started working on a fix.

Is my phone or tablet affected?

In one way or another, yes. CVE-2015-6602 refers to a vulnerability in libutils, and as Zimperium points out in their post announcing the discovery of this vulnerability it impacts every Android phone and tablet going back as far as Android 1.0. CVE-2015-3876 affects every Android 5.0 and higher phone or tablet, and could theoretically be delivered via website or man in the middle attack.

HOWEVER.

There are currently no public examples of this vulnerability ever having been used to exploit anything outside of lab conditions, and Zimperium is not planning to share the proof-of-concept exploit they used to demonstrate this issue to Google. While it's possible someone else could figure this exploit out before Google issues a patch, with the details behind this exploit still being kept private it's unlikely.

What is Google doing about this?

According to a statement from Google, the October Security Update addresses both of these vulnerabilities. These patches will be made in AOSP and will roll out to Nexus users starting October 5th. Eagle eyed readers might have noticed the Nexus 5X and Nexus 6P we looked at recently already had the October 5th update installed, so if you pre-ordered one of those phones your hardware will arrive patched against these vulnerabilities. Additional information on the patch will be in the Android Security Google Group on October 5th.

As for non-Nexus phones, Google provided the October Security Update to partners on September 10th, and has been working with OEMs and carriers to deliver the update as soon as possible. If you take a look at the list of devices patched in the last Stagefright exploit, you've got a reasonable picture of what hardware is being considered a priority in this process.

How do I stay safe until the patch arrives for my phone or tablet?

In the event that someone really is running around with a Stagefright 2.0 exploit and trying to infect Android users, which again is highly unlikely due to the lack of public details, the key to staying safe has everything to do with paying attention to where you're browsing and what you are connected to.

Avoid public networks when you can, rely on two-factor authentication whenever possible, and stay as far away from shady websites as you possibly can. Mostly, common sense web stuff for keeping yourself safe.

Is this the end of the world?

Not even a little bit. While all of the Stagefright vulnerabilities are indeed serious and need to be treated as such, communication between Zimperium and Google to ensure these issues are addressed as quickly as possible has been fantastic. Zimperium has rightly called attention to problems with Android, and Google has stepped in to fix. In a perfect world these vulnerabilities wouldn't exist, but they do and are being addressed quickly. Can't ask for much more than that, given the situation we're in.

Latest And Best Prime Day Deals

Amazon's Fire TV Cube is down to just $70 thanks to this Prime Day deal
Amazon Fire TV Cube
$69.99 $119.99 Save $50

Save $80 on the Neato D4 robot vacuum during this Prime Day Lightning deal
Neato Robotics D4 Alexa-enabled laser-guided robot vacuum cleaner
$319.99 $400.00 Save $80

Time is running out. And so is the supply. Grab it while you can.

Grab TCL's 32-inch 720p Roku TV for less than $100 in this Prime Day Lightning deal
TCL 32S325 32-inch 720p Roku TV
$99.99 $130.00 Save $30

Act fast while you can. These Lightning deals tend to sell out quick.

The Ring Alarm security system is reaching new low prices for Prime Day
Ring Alarm home security systems

Various configurations of the Ring Alarm are discounted to their best prices yet exclusively for Prime members at Amazon through Tuesday night to help keep your home secure.

The Sonos Beam Prime Day deal includes a $40 discount and 2 $50 Amazon gift cards
The Sonos Beam Prime Day deal includes a $40 discount and $100 in Amazon gift cards
$359.00 $499.00 Save $140

That's just so much savings in one deal. You'll have to wait for the physical gift cards, but that's basically $100 to spend however you want.

Prime Day dropped this PlayStation 4 console bundle to just $250
PlayStation 4 Slim 1TB console with Marvel's Spider-Man and Horizon Zero Dawn
$249.99 $359.98 Save $110

This deal on the PlayStation 4 Slim console saves you $50 off its regular price while also including Marvel's Spider-Man and Horizon Zero Dawn Complete Edition for free. You'll just need an Amazon Prime membership to snag it.

The newest device in the Echo family, the Show 5, is now down to just $50
Echo Show 5
$49.99 $89.99 Save $40

It's only been on the market since May, but it hasn't escaped the Prime Day price cuts.

Amp up your home security with these huge Prime Day discount on nearly all Ring products
Save on Ring products today only

Whether you need a video doorbell, whole home alarm system, or some lights to brighten a dark area, Amazon has it all marked down today!

More Prime Day Deals