Stagefright 2.0 hits while Android users remain "sitting ducks"

Android users have become "sitting ducks" for hackers, according to a cyber security expert following the discovery of a new Stagefright threat despite millions remaining unprotected from the original bug.

One billion Android devices are at risk from the latest Stagefright vulnerability, which can attack smartphones via song and video files hosted by malicious websites or apps, according to Zimperium Labs, which unearthed the new flaw yesterday after discovering the original Stagefright issue in July.

While Stagefright needed someone's mobile phone number to effect an attack, hackers using Stagefright 2.0 can take control of someone's data and apps via song and video files.

They simply need to persuade their victim to visit a malicious website they control, then preview a media file.

Alternatively, hackers on the same network as their victim could inject the exploit via a man-in-the-middle attack, and third-party apps like media players and instant messengers could be sabotaged by hackers to carry malicious song or video files.

"The attacker gains a foothold, from which they could conduct further local privilege escalation attacks and take complete control of the device," explained Zimperium.

Mark James, IT security specialist at ESET, said the consequences of such an exploit could be devastating.

"This code could in theory allow them full access to your device enabling them to do whatever they wish," he said. "This could include installing other malware or just harvesting your data for use in identity theft."

But the latest flaw emerged as millions of users remain vulnerable to the first Stagefright threat, which can take over phones' data and apps via malicious picture and video messages.

Google has issued a succession of buggy patches since Stagefright first emerged, but so far only ASUS, HTC, LG, Motorola and Nvidia have adapted those to their own customisations of Android, with luxury phonemaker Vertu now set to follow suit.

Security analyst Graham Cluley told IT Pro: "The appalling way that most Android users are treated in regards to security updates has left them as sitting ducks for attackers."

Google said it plans to issue a patch fixing Stagefright 2.0 on Monday, 5 October, but while Zimperium praised its swift response, others have poked holes in its existing patches for the original Stagefright bug.

Other Android vendors are embarking on their own monthly update cycles, but Cluley criticised the pace at which patches are rolled out to end users.

"It's all very well worrying about this latest version of Stagefright, but what about the many other vulnerabilities that Android users are exposed to because so many of them find it impossible to get their hands on a patch," he said.

Security experts G Data counted 440,267 new Android malware threats 4,900 a day in the first quarter of 2015, a 6 per cent rise on the fourth quarter of 2014.

Meanwhile, a 2014 study by F-Secure found Google's operating system accounted for 97 per cent of all mobile malware that year up from 87 per cent in 2013.

In comparison, iPhone, BlackBerry, Palm and Windows Phone devices accounted for less than one per cent of malware last year.

Patching them is another issue entirely, as vendors must adapt Google's patches for their own, heavily customised, versions of Android.

Trey Ford, global security strategist at Rapid 7, explained: "The carriers have a custom software build, with their own out of box experience' with special licensing agreements, software features and promotions. This process exacerbates an already complex supply chain."

This process means that after Google delivers patches to carriers, it can take another nine to 18 months for the carriers to make the patches available to end users.

A Google spokeswoman told IT Pro: "As announced in August, Android is using a monthly security update process. Issues including the ones Zimperium reported, will be patched in the October Monthly Security Update for Android rolling out Monday, October 5th and will be posted about on our blogs."