The VICE Channels

    New Stagefright Bugs Leave More Than 1 Billion Android Users Vulnerable

    Written by

    Lorenzo Franceschi-Bicchierai

    Staff Writer

    Image: Scott Akerman/Flickr

    In July, a security researcher revealed that Android phones could be hacked with a simple text, thanks to a series of bugs in the Android operating system that are now commonly known as Stagefright.

    On Thursday, the same security researcher warned that two new Stagefright bugs can allow hackers to break into your phone by tricking you into visiting a website containing a malicious multimedia file, either mp3 or mp4. These two new bugs were also found in the Android media playback engine called Stagefright, just like the first series of bugs disclosed in late July.

    Joshua Drake, a researcher at Zimperium zLabs, and also author of the Android’s Hacker Handbook, found that one vulnerability affects “almost every Android device” since the first version of the operating system, released in 2008. The second vulnerability allows hackers to trigger the first, even in newer version of Android, such as 5.0 and above.

    It’s likely that 1.4 billion people are affected by these bugs.

    Researchers at Zimperium zLabs estimate that at least 950 million Android users, and likely more are vulnerable to these these bugs. Zuk Avraham, the company’s founder and Chief Technology Officer, said that it’s likely that 1.4 billion people are affected.

    “I cannot tell you that all of the phones are vulnerable, but most of them are,” he told Motherboard in a phone call.

    Drake put it more bluntly: “All Android devices without the yet-to-be-released patch contain this latent issue,” he told Motherboard in an email.

    To take advantage of these bugs, a hacker can trick a potential victim into opening a website where he has planted a malicious mp3 audio file, or a malicious mp4 video file, or by tricking the victim to open them in a third party application, say a multimedia player, that depends on the vulnerable Android libraries.

    “Merely previewing the song or video would trigger the issue,” Drake wrote in a blog post.

    A more remote possibility is if the hacker is on the same network as the victim (say, they’re both connected to the coffee shop’s Wi-Fi). In that case, Drake explained, the hacker can inject the exploit code intercepting the victim’s unencrypted network traffic. In this case, the hacker doesn’t need the victim to click on links or open any files. Zimperium is not releasing the full technical details to exploit these vulnerabilities yet.

    “Merely previewing the song or video would trigger the issue.”

    A Google spokesperson said that a patch for these new vulnerabilities will be rolled out to users of its Nexus phones on October 5. The internet giant also shared the patch privately to partners on Sept. 10, and is working with manufacturers and carriers “to deliver updates as soon as possible.”

    We have reached out to Samsung, HTC, Sony, Motorola, Lenovo, LG, and Huawei to know when they plan to push out patches for these new Stagefright bugs.

    A Motorola spokesperson said that the company will “address” these bugs, and other security issues already patched by Google “with our upcoming Android M upgrades, and with maintenance releases for certain devices not getting Android M.” The spokesperson did not specify a date, but said more details on this will come out “soon.”

    The other companies have yet to respond to our request for comment, but we will update this story when they do.

    Stagefright, more than any other bug before it, exposed Android’s faulty update strategy, as most manufacturers needed several weeks, if not months, to patch the first Stagefright bug.

    In the wake of the first series of Stagefright bugs, Google and several phone manufacturers pledged to release security updates more frequently. But before that, Android users with non-Nexus phones were at the whims of their manufacturers and carriers, who often stopped offering updates, or pushed even critical security patches months after the vulnerabilities were published.

    Just an aside here: That’s the main reason I wrote a rant about abandoning Android and jumping ship to the iPhone.

    Again, if you care about security, perhaps you should think about switching to another operating system. But if you want to stay with Android, the Nexus phones get quick patches from Google. Another option is the little-know, privacy-minded, Black Phone, which is manufactured by Silent Circle. The Black Phone patched the first batch of Stagefright bugs even before Zimperium zLabs revealed them publicly. (Silent Circle did not respond to my request for comment related to these new bugs.)

    Drake wrote that Zimperium notified Google of these bugs on August 15. But the Stagefright nightmare might not be over yet. A couple of weeks ago, Drake tweeted that he had reported another 8 bugs to Google.

    Drake told Motherboard that some of those bugs, some with “critical severity” and some with “low severity,” are currently going through the disclosure process. Some, however, were duplicates that Google security engineers had already found.

    Avraham said he could not talk about these other bugs just yet, and that they are now disclosing only “the most dangerous ones.” But he also added that this “doesn’t necessarily mean that there aren’t more vulnerabilities” in Android’s Stagefright engine that no one has found yet.

    “It’s likely that there are more,” he said.