Stagefright 2.0 – Just as bad as Stagefright 1.0

At this point we are all pretty familiar with Stagefright, or at the very least we know its big and bad.  The original Stagefright exploit was discovered in July by the security firm, Zimperium.  At that time Google, manufacturers and carriers scrambled to control the panic and released several patches to prevent the exploit from being used to take over devices.  Unfortunately it looks like these patches weren’t enough as Zimperium has now announced that they have discovered another method to take advantage of the exploit that is not covered by the existing patches.

The original exploit utilized a simple text message containing a video with the malware hidden inside of it.  Most stock messaging apps were setup in a way that either automatically downloaded or played the videos upon opening the text message.  Google’s own Hangouts app was even more vulnerable as it processes video links in messages instantly in order to ensure they were ready for viewing.  In both cases the device would be compromised and the attacker would have complete control over the device.

Stagefright 2.0 is just as scary because it can be implanted in a webpage and automatically take over the device as you go to the webpage.  Hypothetically someone could even do a man in the middle attack on a public Wi-Fi hotspot and inject the exploit into your traffic and infect you there.  Either way your device is compromised and under someone else’s control.

Google is currently hard at work to correct the situation and a patch is scheduled to roll out to Nexus devices tomorrow.  Hopefully the manufacturers and carriers will quickly follow with their own updates.

Source Link: The Verge | Phandroid