A new ‘Stagefright’ vulnerability uncovered by security researchers at Zimperium zLabs could compromise your Android phone just by opening an MP3 file.
One of the new exploits reportedly affects every device from version 1.0, which was released in 2008, and the other impacts devices running 5.0 and above.
The attack is related to the processing of metadata within a MP3 or MP4 video file. Previewing a specially crafted song or video would execute the exploit, which would allow an attacker to execute remote code.
It also affects third-party apps, as the bug is found within the libstagefright library leveraged by some media players. The exploit has not been spotted in the wild at time of writing.
There is no proof-of-concept code for the bug as it is still unpatched, but the company will update its Stagefright detection app once a fix is released.
The researchers reported the bug to Google on August 15th, which plans to release a patch in the next Nexus Security Bulletin scheduled for the second week of October. Phone manufacturers like Xiaomi, Samsung, HTC and Sony will also need to release the update themselves.
According to Motherboard Android Marshmallow will incorporate the fix, though that’s limited to only recent devices.
Unfortunately for older devices that no longer receive updates, it’s likely this security flaw will ever be patched, leaving them susceptible to it until they manually flash a new version of Android.
➤ New Vulnerability Processing MP3/MP4 Media [Zimperium]
Image credit: Shutterstock