Zimperium zLabs has made public another vulnerability in Android, calling it Stagefright 2.0. The vulnerability manifests itself when your Android device tries to process a specially and maliciously coded MP3 audio or MP4 video file. The security company says that there are two vulnerabilities, and that this is just the first one – affecting virtually every Android device because the security gap has been there since 2008 and has not been patched in Android 5.0.
As per Zimperium, this vulnerability has already been submitted to Google, given the code CVE-2015-6602 as a vulnerability in “libutils” of Android. The gap is basically that a hacker can remote execute code by having your device process a malicious MP3 or MP4 file. By “process”, this means to even preview or pre-listen to a file, the malicious code can be executed.
If a user would be lured to a malicious website and was convinced to either preview or download a specific harmless-looking content – like an audio file or video file – a hacker can then execute code so he can exploit your device. Also, if any app – audio or media players – play a malicious file “given” or sent to users through various ways, the hacker can also start the exploit from there.
Zimperium is scheduled to release information on the second vulnerability soon, but as it is, Google will have some work to do patching this security gap. Google, in their part, have responded quickly and a fix should be available soon in an update.
SOURCE: Zimperium