Android phones and tablets are at risk of a bug that can be activated by playing a malicious music or video file.
Mobile security experts from Zimperium discovered the vulnerability, which has been dubbed Stagefright 2.0.
Stagefright was the name given to a bug that affected Android devices earlier in 2015, which was also discovered by Zimperium. It activated via multimedia messages which, when opened, allowed the attacker to take control of the device.
Stagefright 2.0 manifests itself in the way the device processes mp3 or mp4 files. The smartphone user may unwittingly visit a malicious website that contains the file, or be tricked into opening a vulnerable app. The file doesn’t need to be opened – even previewing it could cause the attack, according to Zimperium.
“The vulnerability lies in the processing of metadata within the files, so merely previewing the song or video would trigger the issue,” explains Zimperium in a blog post about its research.
“Since the primary attack vector of MMS has been removed in newer versions of Google’s Hangouts and Messenger apps, the likely attack vector would be via the web browser.”
Zimperium claims every device since 2008 running Android 1.0 is affected. The company notified Google’s Android Security Team of the issue on August 15 and it is currently working on a patch which is due on October 5.
http://home.bt.com/
