Google Releases Security Patch To Fix Stagefright 2.0 Holes

Google Releases Security Patch To Fix Stagefright 2.0 Holes

Zimperium reported Stagefright 2.0 to the Android Security Team on Aug. 15, 2015, almost two months before the security update was released.
(Photo : Kham Tran | Flickr)

Google released its Nexus security bulletin earlier this week and with it came details of the security fixes, which address the vulnerabilities that are exploited by Stagefright 2.0, the successor of the original Stagefright malware.

After Google addressed Stagefright 1.0, Stragefright 2.0 appeared. Unlike its predecessor, which used MMS, Stragefright 2.0 uses the web browser – either through malicious ads, mobile spear-phishing or man-in-the-middle attacks – to infect a device running on any version of Android, from 1.0 to 5.0.

Zimperium, a company that specializes in mobile security, discovered the malware and submitted its findings to the Android Security Team on Aug. 15. Almost two months after being informed of the new strain, Google finally came out with a security fix.

In a Nexus Security Bulletin post that was published on Oct. 5, Monday, Google stated that an OTA security update for Nexus devices was already released. The source code patches to counter these specific issues will be made available through the Android Open Source Project (AOSP) repository.

"The Nexus firmware images have also been released to the Google Developer site. Builds LMY48T or later (such as LMY48W) and Android M with Security Patch Level of October 1, 2015 or later address these issues," writes Google.

Google notes that the worst of the issues is a "Critical security vulnerability," which allows codes to be remotely executed on infected devices through web browsing, email and "MMS when processing media files." In its severity assessment summary, Google, aside from libstagefright, also tagged remote code execution vulnerabilities in Sonivox, libutils, Skia and libFLAC as critical.

Messenger applications and Hangouts were also modified so that files shared do not automatically get passed to vulnerable services, which include the media server. Verify Apps was also updated to offer more protection against apps that are not installed through Google Play and prompt the user to remove a known malware if it is already installed on a device.

To reduce the chances of getting infected by Stagefright 2.0 and other malware that exploits the same vulnerabilities, Google advises Android users to update to the latest version.

Photo: Kham Tran | FlickrÂ

Source: Tech Times