New Android vulnerability in processing MP3 and MP4 data puts over 1 billion devices at risk of remote hacking
Even as the Android Stagefright vulnerability is in the process of being patched for millions of Android users, Joshua Drake has dropped another Android bombshell. He has discovered two more vulnerabilities, which exist in the way Android handles the metadata of MP3 and MP4 files. A potential hacker could compromise Android devices by tricking users into visiting maliciously-crafted Web pages.
Once the victim visits such malicious websites, the vulnerabilities can lead to remote code execution on almost all devices that run Android, starting with version 1.0 of the OS released in 2008 to the latest 5.1.1, researchers from mobile security firm Zimperium said in a report scheduled to be published Thursday.
Earlier Drake published details in August about critical Android vulnerabilities in the Stagefright media playback engine, he had promised there would be more issues in Android operating system. Today, Drake who is the vice president of platform research and exploitation at Zimperium, disclosed two more flaws in Android OS. Out of the two, the first one affects all Android devices back to the first version of Android, while the second dependent vulnerability that was introduced in Android 5.0.
Once the vulnerabilities are exploited, hackers can enable remote code execution and lead to privilege escalation, putting an attacker in control over a compromised device. They would have full access to personal data and photos stored on the phone, be able to take photos, record conversations, exfiltrate email and SMS/MMS messages and load additional apps.
The bugs affect more than one billion Android devices in circulation as of today.
Google has been messy with the patches for Stagefright and as of now only Nexus smartphones/tablets have been patched. A couple of top carriers/manufacturers have also released the patch for the same, however most of the Android smartphones remain vulnerable to the stagefright vulnerability.
Now, with disclosure of these two additional vulnerabilities, dubbed Stagefright 2.0, Google security team will have to work overtime to release the patches. The Zimperium researchers have said that the vulnerabilities have not yet been exploited in the wild but given that one of the bugs has been in Android since the very beginning, it’s likely they could have been used in an attack.
Zimperium’s Chairman and founder, Zuk Avraham said that the most logical attack vector would be the mobile browser where an attacker tricks the victim via phishing or malvertising to visit a URL hosting the exploit. An attacker could also inject the exploit via a man-in-the-middle attack, or host a malicious third-party app that uses the vulnerable library. An attacker would use a specially crafted MP3 or MP4 file in this case to exploit the vulnerabilities.
“It’s a library that was written very badly,” Avraham said of Stagefright. “The library itself is pretty vulnerable; it has a lot of code mistakes. The media processing is not as safe as it should be.”
One of the vulnerabilities which is found in the core Android library called libutils has been assigned CVE-2015-6602. The second vulnerability was introduced into libstagefright in Android 5.0; it calls into libutils in a vulnerable way, Avraham said. The libstagefright issue affects apps that utilize Android’s multimedia APIs, which call into the library.
We reached out to Google and it said that the patch for the above vulnerabilities is being readied and will be rolled out on 5th October, 2015. Google’s statement is given below :
‘As announced in August, Android is using a monthly security update process. Issues including the ones Zimperium reported, will be patched in the October Monthly Security Update for Android rolling out Monday, October 5th and will be posted about on our blogs.’