Have you got an Android device? Then you’re vulnerable. According to new research from Zimperium it’s basically that simple when it comes to the Stagefright 2.0 flaws.
To be more precise only Android devices since Android 1.0 released in 2008 are impacted—oh wait. I guess that’s more or less all of them. Zimperium shared information yesterday in a blog post explaining that two new vulnerabilities can be used to compromise Android devices through malicious MP3 audio or MP4 video files.
Zimperium explains, “The vulnerability lies in the processing of metadata within the files, so merely previewing the song or video would trigger the issue. Since the primary attack vector of MMS has been removed in newer versions of Google’s Hangouts and Messenger apps, the likely attack vector would be via the Web browser.”
Earlier this year Google announced that it has one billion—with a “B”—active monthly users. Combining that information with the fact that Android has dominant market share among mobile devices around the world and it seems reasonable that the projected scope of Stagefright 2.0 could impact more than a billion users.
Zimperium describes a few potential attack vectors:
1. An attacker would try to convince an unsuspecting user to visit a URL pointing at an attacker controlled Web site (e.g., mobile spear-phishing or malicious ad campaign).
2. An attacker on the same network could inject the exploit using common traffic interception techniques (MITM) to unencrypted network traffic destined for the browser.
3. 3rd party apps (Media Players, Instant Messengers, etc.) that are using the vulnerable library.
Keeping Android Secure
One issue that Android users face is the complexity of the ecosystem. Software updates developed by Google can take months to get through approvals from device vendors and mobile carriers before they’re actually available to users.
“The challenge that the mobile community faces is somewhat tied to the lack of portability between carriers (at least in the United States). When you buy a handset from the carrier, that discounted purchase is subsidized by the carrier contract. The carriers have a custom software build, with their own ‘out of box experience’ with special licensing agreements, software features and promotions,” explains Trey Ford, Global Security Strategist at Rapid7. “This process exacerbates an already complex supply chain. Carriers have inadvertently complicated the hardware supply chain with additional software on multiple hardware platforms, making their quality assurance testing process extremely complicated and slow.”
Ford suggests choosing a device like the Google Nexus 6P or Nexus 5X. “The advice I give friends and family is to buy handsets that allow for updates directly from the manufacturer. For those who love Android—buy directly from Google to remove the carrier-introduced delay when Android releases a security patch.”
That is good advice, but at least part of the patching issue was addressed when Zimperium discovered the original Stagefright flaw. Google enlisted the support of major Android OEM partners to participate in a routine monthly security patch program. Unfortunately, the patch that Google and the OEM partners pushed out for Stagefright didn’t completely resolve the issue because the fix could be circumvented and the vulnerability could still be exploited.
Still, it’s a step in the right direction. Flawed patches happen on occasion and they’re nothing new. What’s more important is that there is a security patch program in place and that Google and its partners can refine and improve the testing and quality assurance processes over time.