Stagefright 2.0 vulnerability is here -- your Android device is probably at risk
Holy cow, Google, what the heck is going on here? Android should have been a Utopian-like Linux-based operating system that was secure and available to all. Unfortunately, the only things being made available to the masses are vulnerabilities. Quite frankly, the search giant is giving Linux a bad name.
When the Stagefright vulnerabilities were made public, it really underscored how broken the Android update problem is. Hell, people like me -- longtime Android users -- switched to iOS as a result. A lack of operating system updates from both manufacturers and cell providers means many users are forced to live with vulnerable devices -- not acceptable. Today, new vulnerabilities dubbed Stagefright 2.0 are revealed, and most Android devices -- since 1.0 of the operating system -- are now at risk.
"Meet Stagefright 2.0, a set of two vulnerabilities that manifest when processing specially crafted MP3 audio or MP4 video files. The first vulnerability (in libutils) impacts almost every Android device since version 1.0 released in 2008. We found methods to trigger that vulnerability in devices running version 5.0 and up using the second vulnerability (in libstagefright). Google assigned CVE-2015-6602 to vulnerability in libutils. We plan to share CVE information for the second vulnerability as soon as it is available", says Zimperium Mobile Labs.
The company further shares, "the vulnerability lies in the processing of metadata within the files, so merely previewing the song or video would trigger the issue. Since the primary attack vector of MMS has been removed in newer versions of Google's Hangouts and Messenger apps, the likely attack vector would be via the Web browser".
Oh dear, so Android users are at risk when using the web browser -- that is just about everyone. It is not just web browsers, however, but any third party app that uses the at-risk libraries. Pretty much all Android devices are at risk, folks.
Zimperium Mobile Labs reported this to Google in August, but it is still not fixed in October. The sad fact is, even if the search giant does fix the vulnerability, most devices will never get patched anyway. Why? Manufacturers have long abandoned many devices, leaving only Nexus and very-new hardware from popular manufacturers with a possibility of salvation.
Android users, are you comfortable using your device knowing it has vulnerabilities that may never be fixed? Tell me in the comments.