Android Vulnerability - "Stagefright"

Stagefright is a remotely exploitable software bug that affects versions 2.2 ("Froyo") and newer of the Android operating system. It allows an attacker to perform arbitrary operations on the victim device through remote code execution and privilege escalation. Security researchers demonstrate the bug with a proof of concept that sends specially crafted MMS messages to the victim device and in most cases requires no end-user actions upon message reception to succeed, while using the phone number as the only target information.

The underlying attack vector exploits certain integer overflow vulnerabilities in the Android's core component called "Stagefright",  which is a complex software library implemented primarily in C++ as part of the Android Open Source Project (AOSP) and used as a backend engine for playing various multimedia formats such as MP4 files

Stagefright 2.0 is finally back in the ranks of Android vulnerability, causing over 1bn Android devices to be hacked easily through a remote server execution. Stagefright bug was first encountered in 2008 when the hacker can easily hack the device and get access to internal resource and execution by simply exploiting the media handling capabilities of the Android devices. The first Stagefright bug enabled hackers to send an MMS message and take control of the device.

Stagefright 2.0 is security vulnerability made of two holes in Android that can allow an attacker to take over a Smartphone via an MP3 or MP4 video.The vulnerability lies in the processing of metadata within the files, so merely previewing the song or video would trigger the issue. Since the primary attack vector of MMS has been removed in newer versions of Google’s Hangouts and Messenger apps, the likely attack vector would be via the Web browser.Mark James, security specialist at ESET said: “Visiting a website and previewing an infected song or video file could enable the attacker to gain access to your mobile device and run remote code, in theory allowing them full access to your device enabling them to do whatever they wish ... including installing other malware, or just harvesting your data for use in identity theft.”The vulnerability affects even those smartphones that have had the original Stagefright bug patched, such as Google’s Nexus devices and Samsung’s Galaxy S6 series. 

If your device is vulnerable, keep an eye on news from your handset manufacturer for updates which might patch the vulnerabilities.