Over a billion Android customers are at risk from a new version of the Stagefright vulnerability that makes it possible for hackers to take over a victim’s phone by directing them to a specially crafted MP3 or MP4 file, according to new research. Known as Stagefright 2.0, news of the exploit comes after it was revealed in July that 950 million Android phones could be hijacked with just a text message.
Zimperium Mobile Threat Protection unveiled the research behind Stagefright 2.0 Thursday. The attack only requires a hacker to create an MP3 or MP4 file, embed malicious software inside it and send the link to the target number. A victim wouldn’t even need to download anything to enable the exploit to bypass an Android phone’s security restrictions to take remote control of a user’s camera, SD memory card, and other personal information.
The Android operating system has approximately 1.4 billion 30-day active users, Google CEO Sundar Pichai revealed at a Nexus event in San Francisco Tuesday.
“The vulnerability lies in the processing of metadata within the files, so merely previewing the song or video would trigger the issue,” Zimperium said in a statement. “Since the primary attack vector of MMS has been removed in newer versions of Google’s Hangouts and Messenger apps, the likely attack vector would be via the Web browser.”
The most likely form of injection would be for an attacker to start a spearphishing campaign, or create a malicious ad, to direct a user to the malicious URL address. It would also be possible for a hacker to insert the exploit by intercepting a user’s unencrypted network traffic with a Man In The Middle attack, which occurs when an attacker alters the communication between two specific targets.
Google added the new vulnerability to the list of the Common Vulnerabilities and Exposures list, the public log of known vulnerabilities, after Zimperium reported the finding.