Over 1bn Android mobile devices are recognized as affected by a new security bug named Stagefright 2.0. This is the follow-up to the Stagefright vulnerability, which allowed intruders to obtain access to an Android phone by sending it an MMS message. The new, 2.0 version of the security vulnerability exploits two holes in Android and allows a hacker to take over a device using a media file.
According to security experts, previewing an infected song or video file online could enable the hacker to obtain access to an affected mobile device and run remote code. Theoretically, this may provide them full access to a device and install other malware or just harvest sensitive data for use in identity theft. Experts also note that the flaw affects even smartphones that used to have the Stagefright 1.0 patched, including Google’s Nexus and Samsung’s Galaxy S6.
Technically, the security holes originate from the media processing systems of the OS that can be breached, thus opening access to the rest of the device through specially crafted song or video. While Stagefright 1.0 needed a mobile number to be able to send the text message to a target device, 2.0 needs nothing to get into the phone, affecting a much wider audience (estimated as more than 1bn Android devices).
Android developers were notified of the vulnerability in the middle of August. Google acknowledged the flaws and confirmed that they were rated as a critical severity because they could remotely execute code as the privileged mediaserver service, having access to audio and video streams along with privileges that 3rd party apps normally can’t access.
Google is expected to patch the vulnerability in its October security update for Nexus smartphones. As it usually happens to Android, patches for other models will depend on their manufacturers and mobile carriers. Recently, largest phone manufacturers have pledged to roll out monthly security updates for the devices.
In the meantime, security experts report no cases of Stagefright 2.0 being exploited in the wild. Nevertheless, they recommend all Android users to use mobile browser to preview unsolicited audio and video files with caution until a patch is applied. It is believed that too often people fail to understand their mobile devices are no less vulnerable than their desktops.
According to security experts, previewing an infected song or video file online could enable the hacker to obtain access to an affected mobile device and run remote code. Theoretically, this may provide them full access to a device and install other malware or just harvest sensitive data for use in identity theft. Experts also note that the flaw affects even smartphones that used to have the Stagefright 1.0 patched, including Google’s Nexus and Samsung’s Galaxy S6.
Technically, the security holes originate from the media processing systems of the OS that can be breached, thus opening access to the rest of the device through specially crafted song or video. While Stagefright 1.0 needed a mobile number to be able to send the text message to a target device, 2.0 needs nothing to get into the phone, affecting a much wider audience (estimated as more than 1bn Android devices).
Android developers were notified of the vulnerability in the middle of August. Google acknowledged the flaws and confirmed that they were rated as a critical severity because they could remotely execute code as the privileged mediaserver service, having access to audio and video streams along with privileges that 3rd party apps normally can’t access.
Google is expected to patch the vulnerability in its October security update for Nexus smartphones. As it usually happens to Android, patches for other models will depend on their manufacturers and mobile carriers. Recently, largest phone manufacturers have pledged to roll out monthly security updates for the devices.
In the meantime, security experts report no cases of Stagefright 2.0 being exploited in the wild. Nevertheless, they recommend all Android users to use mobile browser to preview unsolicited audio and video files with caution until a patch is applied. It is believed that too often people fail to understand their mobile devices are no less vulnerable than their desktops.
No comments:
Post a Comment