Stagefright 2.0 Warning
Stagefright 2
All Android devices are vulnerable.
The new problem, dubbed Stagefright 2 affects all Android devices and leaves them vulnerable to being hacked.
Stagefright 2 is attackable through two vulnerabilities in the way the Android Operating System (OS) handles .mp3 audio and .mp4 video files.
Unlike the original Stagefright problem, which required the attacker to send a malicious file to the device via the Multimedia Messaging Service (MMS), the new problem just requires that the user opens a malicious file. This could be the result of clicking a link in an email or on a website that had been hacked or just visiting a site that showed an advert that was maliciously crafted.
Google is expected to patch this problem fairly soon. However, the way the Android OS is used on mobile phones, Google releases patches to it’s own devices and to the mobile phone service providers like Vodafone, T-Mobile, 3 and others. These phone providers must then decide if, or when, to push them out to their customers.
Google issued a statement, saying “
“A vulnerability in mediaserver could allow an attacker during media file and data processing of a specially crafted file to cause memory corruption and potentially remote code execution as the mediaserver process.
“The affected functionality is provided as a core part of the operating system and there are multiple applications that allow it to be reached with remote content, most notably MMS and browser playback of media.
“This issue is rated as a Critical severity due to the possibility of remote code execution as the privileged mediaserver service. The mediaserver service has access to audio and video streams as well as access to privileges that 3rd party apps cannot normally access.”
At this point in time I can only suggest that you do not engage in any activity on an Android device that requires accessing web pages and that you download and install any patches (software updates) that your device provider offers you. Until your phone or tablet is updated there is no way to be protected from this problem.
It may help to see the process of getting the updates pushed out to customers if customers are calling their providers demanding that they get the problem fixed.