Everything you need to know about Stagefright 2.0, Android’s newest security threat

outlook evernote facebook wunderlist looking at phone shutterstock 281039135
Shutterstock / Ser Borakovskyy
The scare that the original Stagefright hack caused is back in a reboot called Stagefright 2.0. This new strain was discovered by Zimperium zLabs, the same folks who found the original vulnerability.

Unfortunately, the really bad news is that Stagefright 2.0 affects almost every Android device ever released. According to Google’s latest stats, that’s about 1.4 billion devices worldwide. Even worse, it doesn’t matter if your device received a patch for the original Stagefright hack because this is a completely new vulnerability.

What is Stagefright 2.0?

Stagefright 2.0 is actually very similar to the original in that it deals with a media file containing malicious code that once executed, will give a hacker control of your device. In the case of Stagefright 1.0, it dealt with MP4 video files, but Stagefright 2.0 code can be executed from both MP4 video and MP3 audio files.

Just like the original, hackers would have access to all your data, and even be able to access the microphone and camera once the malicious code is executed.

The name Stagefright comes from the media playback engine in Android that has the same name. This playback engine is where the vulnerability resides, which Stagefright 2.0 can take full advantage of.

There are two vulnerabilities of Stagefright 2.0. The first one resides in libutils and affects almost every Android device since 2008. The second one resides in libstagefright and can be used on devices running Android 5.0 and higher.

How it works

The hacker would need to get an MP3 audio or MP4 video containing the malicious code on your device. The process of merely previewing the song or video would set the malicious code in motion.

The original Stagefright hack involved sending an MMS message of the malicious video file that Google Hangouts or other third-party Messenger apps would receive and automatically download. Patches have been issued for a number of devices, but users who don’t have a patched phone also have the ability to defend themselves by setting their apps to not download such media files automatically.

Since hackers can no longer use Google Hangouts or other Messenger apps, they have to use other methods to get a media file with Stagefright 2.0 code on your device. This can be done via a Web browser in that the victim is duped to visit a URL that is controlled by the attacker. An attacker could also use third party apps that would automatically install and possibly play a malicious media file. Finally, an attacker could manipulate your device by using common traffic interception techniques (MITM) if they are on the same network. This one is the least likely.

What is Google and other manufacturers doing?

Zimperium notified the Android Security team on August 15, and Google will issue a fix for the first vulnerability (libutils) next week. This will be pushed to Nexus devices, and is likely going to be included in the Android 6.0 Marshmallow update. Google has assigned CVE-2015-6602 to this vulnerability.

Google has yet to assign a Common Vulnerabilities and Exposures (CVE) number to the second vulnerability (libstagefright), so it’s not clear when a patch will be issued.

Zimperium also sent an update to the company’s Zimperium Headset Alliance (ZHA), which includes most major Android manufacturers. This information can be used by manufacturers to patch existing and upcoming devices.

Unfortunately, it’s unlikely that older devices, especially two years an older, will ever get the update. Manufacturers notoriously abandon older devices. While newer devices will likely receive the update, they will most likely get delayed due to carrier testing.

How can you defend yourself?

Unfortunately there isn’t much you can do at the moment, but we recommend the following:

  • Always download apps from Google Play or the Amazon App Store. Avoid other app stores, and do not sideload apps from untrusted sources.
  • Pay attention to the websites you’re visiting and don’t click on links in emails and text messages from people you’re not familiar with.
  • Download the Stagefright Detector app to find out if you’re device is affected. As of the time of this post, the app cannot detect Stagefright 2.0, but Zimperium will be updating it once Google issues its patch.

We will continue to update this post when Google and other manufacturers issue patches or if any new methods of defending yourself are discovered.

Product Review

With style and feature upgrades, Misfit's next-generation Vapor 2 gets it right

Misfit’s next-generation smartwatch, the Vapor 2, packs built-in GPS, a heart-rate sensor, and more, into a beautiful design that starts from $250. We take a closer look at the company's latest device.
Mobile

How to use recovery mode to fix your Android phone or tablet

If you’re having a problem you can’t seem to resolve with your Android device, or maybe you want to update it or wipe the cache, recovery mode could be what you’re looking for. Here's how to use it.
Wearables

Google's Wear OS update 'H' promises battery life improvements

Google has rebranded its Android Wear operating system to Wear OS. Removing the Android name may help people better understand Google-powered smartwatches, which also play nice with iOS devices. 
Home Theater

From the Roku Ultra to the Fire TV Cube, these are the best streaming devices

There are more options for media streamers than ever, so it’s more difficult to pick the best option. But that’s why we're here. Our curated list of the best streaming devices will get you online in no time.
Cars

Uber rolls out rewards program that lets its most loyal riders lock in prices

Uber launched a new loyalty program today called Uber Rewards. It offers frequent riders credits to Uber Eats, car upgrades, and the ability to lock in prices on their most traveled routes.
Gaming

15 tips for keeping your vault-dwellers alive in ‘Fallout Shelter’

The wasteland can be an unfriendly place, if you don't know what you're doing. Here are 15 tips that will help your vault thrive in Fallout Shelter, including information on questing.
Mobile

Motorola Moto G7: Here’s everything we know

The Moto G6 range is still relatively new to the market, but rumors have already started about the Moto G7, which is expected some time in 2019. Apparently, a G7 Power version will be joining the G7, G7 Play, and G7 Plus.
Mobile

T-Mobile's new Revvl 2, Revvl 2 Plus are now available for purchase

Last year, T-Mobile launched its own line of branded smartphones. As a follow-up to their predecessors, the carrier has unveiled the Revvl 2 and Revvl 2 Plus -- complete with a sleeker design. Here's everything you need to know.
Mobile

How to take great photos with the Pixel 3, the best camera phone around

You’ve scored yourself a new Google Pixel 3 or Pixel 3 XL, and you want to take advantage of that incredible camera. We’ve got everything you need to know right here about how to snap the best photos with your Pixel 3.
Smart Home

Huawei could soon take on Google and Amazon with a new digital assistant

According to a report from CNBC, Huawei is working on a new digital assistant that could try to take on the likes of Google and Amazon's Alexa. Huawei already has a digital assistant in China, but the new one will be aimed at markets…
Mobile

Leak shows a third, budget Google Pixel 3 with a Snapdragon 670, headphone jack

The Google Pixel 3 and Pixel 3 XL are considered to be two of the best Android smartphones, but it looks like Google could be prepping a third. A budget Pixel 3 device that boasts some of the best features of the other two has been leaked.
Mobile

Use multiple phone numbers on one device with Verizon’s ‘My Numbers’ app

For those who have separate phone numbers and devices for your work and personal lives, Verizon wants to help you get more organized. With its new "My Numbers" app, you can use up to four additional phone numbers on a single smartphone.
Smart Home

All the best Amazon Black Friday deals for 2018

Amazon may be an online-only retailer, but that doesn’t mean its Black Friday sales are anything to sniff at. In fact, due to its online status, Amazon has huge flexibility with the range of products and deals it can offer. Here's our…
Mobile

Need a quick battery boost? Try one of our favorite portable chargers

Battery life still tops the polls when it comes to smartphone concerns. If it’s bugging you, then maybe it’s time to snag yourself a portable charger. Here are our picks of the best portable chargers.