When a technology becomes popular enough to amass a user-base of 1 billion, it also becomes an attractive target for cyber-criminals. At recent Nexus event Google CEO Sundar Pichai revealed that Android ecosystem is now spread across 1.4 billion users. That sounds impressive, only until you hear that these 1.4 billion users are vulnerable to a security vulnerability and are unlikely to receive a fix anytime soon.
In July we had heard about a vulnerability called Stagefright in which anyone could remotely execute code on an Android device with help of an MMS. Google had quickly released update to fix the issue, but they’ve still not reached a majority of devices due to Android’s fragmented nature. Now a mobile security firm Zimperium has found that same vulnerability can also be exploited with the help of MP3 or video files. Any cybercriminal may create audio or video files containing malicious code that exploits the vulnerability and may upload them on the web. The files, when downloaded and played by Android users, can execute the malicious code on their devices. Once that code is executed its developer may remotely alter files on user’s device, may steal sensitive information like passwords etc. and may do almost everything else that someone can do as a normal user with physical access to the device.
After studying the vulnerability Zimperium revealed that remote code execution becomes possible because of the same library that was responsible for Stagefright security vulnerability, the library dubbed libstagefright (thus named Stagefright 2.0). As of now almost every Android device is vulerable to this thing and the only way for you to avoid being hacked is to stop downloading music or video files from unknown sources. For music you can trust Google Play store or other major music services and for videos your best bet will be YouTube and Dailymotion. Avoid downloading music or videos from those “free download” sites because pirated content downloaded from them may put your security at risk.
Google was notified about the vulnerability on August 15 and it has already released a security update to fix the bug, which may reach Nexus devices by October 5. However, other device owners are on the mercy of device manufacturers. So if you own one of those “other than Nexus” devices, avoid downloading pirated media content for your own security.