Zimperium zLabs has released details about Stagefright 2.0 – two Android vulnerabilities that manifest when processing specially-crafted MP3 audio or MP4 video files.
The first vulnerability (in libutils) impacts most Android devices since version 1.0 released in 2008, where processing malicious MP3 or MP4 files can lead to arbitrary code execution.
“We found methods to trigger that vulnerability in devices running version 5.0 and up using the second vulnerability (in libstagefright). Google assigned CVE-2015-6602 to vulnerability in libutils,” said Zimperium zLabs.
The security company said the vulnerability lies in the processing of metadata within the files, so previewing the song or video would trigger the issue.
Since the primary attack vector of MMS has been removed in newer versions of Google’s Hangouts and Messenger apps, the likely attack vector would be via the Web browser.
Zimperium zLabs added that it plans to share CVE information for the second vulnerability as soon as it is available.