All Android phones left vulnerable to new 'Stagefright' hack as Google struggles to fix exploit
Published 02/10/2015 | 11:45
Millions of Android phones are at risk of being hack over a new bug that Google claims it can not fixed until October.
The flaw, dubbed Stagefright 2, follows a similar bug earlier this year that exploited a weakness in the operating system which allowed hackers access to the device.
To get access to a phone, all attackers need to do is lure users into previewing a video or audio file – a function that is turned on in nearly all Android smartphones.
Any Android user who clicks on the downloaded file will prompt the OS to automatically preview the song or video, thereby infecting their device.
Read More: WhatsApp exploit put 200 million users at risk
In practice, this means an attacker can remotely execute code on a victim's device by sending them a malicious MP3 or MP4 file.
Worse still, the exploit can be deployed on public wifi networks or embedded in webpages.
Google has already begun work on patching this new threat but said any fixed will not be ready until October’s monthly security update.
Until the patch rolls out however, over a billion Android phones will be left vulnerable to the exploit.
When first discovered in July, Stagefright made it possible for attackers to infect a device with malicious code through Android’s MMS multimedia preview feature.
Read More: Apple's App Store hit by first major malware attack
Google rushed to patch this vulnerability but two weeks later a new bug was discovered and a fresh batch of patches had to be cooked up.
“Now, months after we thought we were relatively safe, Stagefright has returned like horror movie monster in the third act,” said Zimperium Security, who discovered the new exploit.
“This is troubling news, because even the previous strategies used to deal with Stagefright have proven to be less effective than they were designed to be.”