Over 1 billion of Android devices have become the target of newly discovered remote hacking. The causes behind all these mishaps are the flaws that are well located in the media related components and get triggered through the malicious websites.
The way Android platform processes the media files attract the most vulnerable conditions and allow attackers to force the users into visiting the malicious Web pages. The flaws are the method Android uses to process the metadata of MP3 audio and MP4 video files, and they get exploited once the whole Android system or any other app relying on its media libraries preview these files.
According to researchers by Zimpeium, the mobile security firm, earlier this year, similar multimedia flaws were encountered in an Android library known as Stagefright. This library could be simply exploited by sending a malicious MMS message on the Android devices. The researchers from Zimperium said in a report that these vulnerabilities can cause the execution of a remote code on all the devices starting from the version 1.0 to the latest 5.1.1.
Adrian Ludwig, Android’s lead security engineer, said that a coordinated patching effort from manufacturers of the device is triggered by these flaws. Adrian called it:
Single largest unified software update in the world.
Zimperium discovered a new flaw which is found in the core Android library called “libutils” which affects all the Android versions below 5.0 (Lollipop). Android Lollipopp (5.0- 5.1.1) can also be exploited by combining this newly found flaw with a bug found in Stagefright library. This new attack is termed as Stagefright 2.0 by the Zimperium researchers and is believed to affect over one billion devices.
After the enormous Stagefright flaws, all the messaging apps and latest versions of Google Hangout suppressed the attack vector of MMS. Zimperium researchers said that now the latest method of exploiting the vulnerabilities is through Web browsers. It’s been seen that attackers exploit the flaws by tricking users into visiting malicious websites through email links, instant messages and advertisements displayed on the sites. Attackers can easily inject the exploit into our unencrypted web traffic by simply intercepting users’ internet connection either through routers or on an open wireless network.
The researchers said a third party media player can also act as an attack vector by depending on the vulnerable Android media library for collecting metadata from MP4 and MP3 files.
The flaws were reported to Google on August 15 of this year and a fix is expected to come on October 5 of this year in the form of a monthly Android security update. The vulnerabilities are tracked by Google as CVE-2015-6602 and CVE-2015-3876.
Once the patches become available to the researchers from Zimperium, a free Stagefright Detector app will be updated for flaw detection.