The past couple of months have been filled with a lot of uncertainty surrounding a series of issues popularly named Stagefright, a name earned because most of the issues found have to do with libstagefright in Android. The security firm Zimperium has published what they are calling Stagefright 2.0, with two new issues surrounding mp3 and mp4 files that could be manipulated to execute malicious code on your phone.
Here's what we know so far, and how to keep yourself safe.
What is Stagefright 2.0?
According to Zimperium, a pair of recently discovered vulnerabilities make it possible for an attacker to present an Android phone or tablet with a file that looks like an MP3 or MP4, so when the metadata for that file is previewed by the OS that file could execute malicious code. In the event of a Man in the Middle attack or a website built specifically for delivering these malformed files, this code could be executed without the user ever knowing.
Zimperium claims to have confirmed remote execution, and brought this to Google's attention on August 15. In response, Google assigned CVE-2015-3876 and CVE-2015-6602 to the pair of reported issues and started working on a fix.
Is my phone or tablet affected?
In one way or another, yes. CVE-2015-6602 refers to a vulnerability in libutils, and as Zimperium points out in their post announcing the discovery of this vulnerability it impacts every Android phone and tablet going back as far as Android 1.0. CVE-2015-3876 affects every Android 5.0 and higher phone or tablet, and could theoretically be delivered via website or man in the middle attack.
There are currently no public examples of this vulnerability ever having been used to exploit anything outside of lab conditions, and Zimperium is not planning to share the proof-of-concept exploit they used to demonstrate this issue to Google. While it's possible someone else could figure this exploit out before Google issues a patch, with the details behind this exploit still being kept private it's unlikely.
What is Google doing about this?
According to a statement from Google, the October Security Update addresses both of these vulnerabilities. These patches will be made in AOSP and will roll out to Nexus users starting October 5th. Eagle eyed readers might have noticed the Nexus 5X and Nexus 6P we looked at recently already had the October 5th update installed, so if you pre-ordered one of those phones your hardware will arrive patched against these vulnerabilities. Additional information on the patch will be in the Android Security Google Group on October 5th.
As for non-Nexus phones, Google provided the October Security Update to partners on September 10th, and has been working with OEMs and carriers to deliver the update as soon as possible. If you take a look at the list of devices patched in the last Stagefright exploit, you've got a reasonable picture of what hardware is being considered a priority in this process.
How do I stay safe until the patch arrives for my phone or tablet?
In the event that someone really is running around with a Stagefright 2.0 exploit and trying to infect Android users, which again is highly unlikely due to the lack of public details, the key to staying safe has everything to do with paying attention to where you're browsing and what you are connected to.
Avoid public networks when you can, rely on two-factor authentication whenever possible, and stay as far away from shady websites as you possibly can. Mostly, common sense web stuff for keeping yourself safe.
Is this the end of the world?
Not even a little bit. While all of the Stagefright vulnerabilities are indeed serious and need to be treated as such, communication between Zimperium and Google to ensure these issues are addressed as quickly as possible has been fantastic. Zimperium has rightly called attention to problems with Android, and Google has stepped in to fix. In a perfect world these vulnerabilities wouldn't exist, but they do and are being addressed quickly. Can't ask for much more than that, given the situation we're in.
We may earn a commission for purchases using our links. Learn more.
The U.S. is reportedly close to restoring Huawei’s global chip supply
According to a report from Financial Times, the U.S. Department of Commerce will soon grant licenses to chipmakers to resume the supply of components for use in Huawei’s mobile devices.
5 Chromebook trends that need to die
There's a lot of good things Chromebooks have added in the last few years, but just as there are some rumors that refuse to fade, there are a few trends in the Chromebook world that are hanging on with an unnatural grip that need to be hacked off before they drag the next generation of Chromebooks under.
Review: Xiaomi Mi 10T Pro makes the 108MP camera accessible to everyone
With the Mi 10T Pro, Xiaomi is redefining the value segment. The phone features an outstanding 108MP camera, Snapdragon 865 chipset, and a 144Hz display backed by a massive 5000mAh battery. But the standout feature is the asking price, with the Mi 10T Pro available for just ₹39,999 ($542), making it a standout value.
These are the screen protectors you'll want to get for your Galaxy S20 FE
The Samsung Galaxy S20 FE has arrived and is surely going to compete with the top Android phones for the months to come. If you're planning to hang onto this device for the next few years, you'll want to make sure it's protected from every angle. These are the best screen protectors for the Galaxy S20 FE that you can get today.