Android users are under attack again. The Stagefright bug that Google and OEMs scrambled to fix, only to have a second bug discovered, is back. Users are being targeted with faked audio files that exploit the multimedia preview function in Android to gain access to sensitive areas of a user’s phone or tablet.
The target is sent an mp3 or mp4 file that is encoded with a malicious program and can compromise the Android file system and its security, once opened. More troubling is that an attacker may be able to leverage public Wi-Fi hotspots to infect victims by having them download a file or visit an infected site to infect their phone.
Zimperium Security found the exploit, which isn’t covered by the two rounds of security patches released since July.
Many phone makers like Samsung, LG and HTC have recently committed to begin releasing monthly security updates to their phones but as of yet, this new exploit hasn’t been patched. SMS apps like Textra have recently updated to add Stagefright protection as a feature.
Google is working on fixing the Stagefright exploit in the core code of Android that is distributed to OEMs. A security patch will be available in the October monthly security update that will roll out to Nexus phones on October 5th.