New bug lets hackers infect Androids via multimedia files

folarin okunola

October 2, 2015 4:40 PM

In practical terms, this means that an attacker can remotely execute code on a victim’s device by sending them a malicious MP3 or MP4 file.

Android Marshmallow is going to be Google's next OS and it will be taking over from Android Lollipop

Back in July, a bug in Android’s media playback system called Stagefright, which only needed a specially crafted text message to the victim’s phone in order to remotely execute code, left about a billion devices vulnerable to hackers.

Although Google promptly issued a parch for that particular vulnerability, the security research company that initially found the original bug, Zimperium, has found two new vulnerabilities in Stagefright, which could enable hackers to take over an Android device by sending the victim a specially crafted multimedia file.

“All Android devices without the yet-to-be-released patch contain this latent issue,” said a researcher at Zimperium zLabs, Joshua Drake.

In practical terms, this means that an attacker can remotely execute code on a victim’s device by sending them a malicious MP3 or MP4 file. The bad part is that the victim doesn’t even have to open the file.

READ: 95% of all Android devices are vulnerable to this newly found bug

"The vulnerability lies in the processing of metadata within the files, so merely previewing the song or video would trigger the issue," wrote Zimperium in a blog post.

Google has acknowledged the issue, but a patch is still not available yet. Even when Google does release a patch, it could take some time for Android phone manufacturers to implement it.

The best thing for users to do right now is to avoid downloading or opening multimedia files and links with unknown sources.

folarin okunola