Update: 10th January 2016:
Further updates addressing newer issues within libstagefright have been made available. Please see this more recent blog post for details.
Update: 17th November 2015:
Further updates addressing newer Stagefright issues have been made available. Please see this more recent blog post for details.
Update: 6th October 2015:
As scheduled Google has begun rolling out the fixes for the Stagefright 2.0 issue. The update named Build LMY48T addresses 30 CVEs (defined)(20x critical, 5x high, 3x moderate, 2x low severity) of which 15 were in libstagefright and 2 were in libutils (which were mentioned in my post below).
Full details are provided by Google in this Google Groups post. As mentioned in my post below, Sophos has provided a comprehensive list of tips to stay safe from these Stagefright 2.0 vulnerabilities.
Last week a new set of 2 security vulnerabilities affecting Google’s smartphone operating system Android were disclosed. The same security firm Zimperium that discovered the Stagefright vulnerabilities have found these new flaws and have called them Stagefright 2.0.
The first vulnerability assigned CVE-2015-6602 (CVE, defined) affects versions of Android since version 1.0 from the year 2008. The second vulnerability (not yet assigned a CVE number) is a method to trigger the first flaw in version 5.0 and later of Android.
Why Should These Issues Be Considered Important?
It is estimated that at least one of these new issues is present in approximately 1 billion Android devices. For newer devices remote code execution (where an attacker can remotely trigger code of their choice to carry out any action they choose) is possible using libstagefright within Android version 5.0 and later. For all other devices they may be impacted if 3rd party apps or mobile carrier bundled apps make use of the library libutils when processing specifically crafted MP3 (audio) and MP4 (video) files.
In addition there are 3 further means that these issues could be exploited by an attacker e.g. an attacker on the same network as your Android device could add the exploit to unencrypted traffic using a man-in-the-middle attack (MITM, defined). Moreover an attacker could simply have you visit a malicious website inadvertently using a phishing (defined) email containing a link or a compromised advertisement present on a website of their choice.
The final 2 methods of attack are much likely to occur in practice than the original Stagefright issue (since it relied on older MMS (defined) messages). E.g. a spear phishing (defined) campaign took place in August in an attempt to have users visit a fake Electronic Frontier Foundation site. While in January AOL’s advertising were delivering adverts that exploited the devices that viewed them.
How Can I Protect Myself From These Issues?
Since the disclosure of the original Stagefright issue matters have improved in terms of the speed to respond. A fix for this issue will begin to be made available to Google Nexus devices today. Other manufacturers such as Samsung and LG etc. should follow suit very soon.
Sophos has provided a comprehensive list of tips to stay safe from these Stagefright 2.0 vulnerabilities.
As mentioned by Symantec in this blog post, please ensure to only apply updates from your mobile carrier or device manufacturer.
In addition, Zimperium will be updating their Stagefright Detector app to check if your device is vulnerable to these newer Stagefright issues once updates resolving these issues are made available. This is useful since you can use that app to tell if your device has received the appropriate updates.
Please note that reviews for the Zimperium Stagefright detector app are mixed, thus you may wish to try other apps to check if your device is vulnerable.