Stagefright 2: Android bug puts all phones at risk of huge hack, which can’t be fixed and could be contracted just by viewing a single video

Andrew Griffin
Thursday 01 October 2015 13:08 EDT
Comments

Your support helps us to tell the story

From reproductive rights to climate change to Big Tech, The Independent is on the ground when the story is developing. Whether it's investigating the financials of Elon Musk's pro-Trump PAC or producing our latest documentary, 'The A Word', which shines a light on the American women fighting for reproductive rights, we know how important it is to parse out the facts from the messaging.

At such a critical moment in US history, we need reporters on the ground. Your donation allows us to keep sending journalists to speak to both sides of the story.

The Independent is trusted by Americans across the entire political spectrum. And unlike many other quality news outlets, we choose not to lock Americans out of our reporting and analysis with paywalls. We believe quality journalism should be available to everyone, paid for by those who can afford it.

Your support makes all the difference.

All Android phones are vulnerable to a huge hack that could allow people to take over phones if people just watch one booby-trapped video.

The flaw, dubbed Stagefright 2 by the team that found it, follows a similar bug earlier this year that also hit all of the billion Android devices in use. It exploits a weakness in one of the pieces of code in the operating system, which can allow hackers access to the device.

In the wake of the first bug, Stagefright, many rushed out changes to their security systems intended to stop similar attacks in the future. But the relevant code still hasn’t been properly patched, according to the researchers.

To be hit by it, all attackers need to do is lure someone into opening a URL, which would appear innocent to the user. They could then open the video or audio file — and since the flaw can be exploited using the metadata that comes with that file, they wouldn’t need to do anything more.

The team that found the hack, Zimperium, is the same that identified the first Stagefright vulnerability. It is likely to be fixed in an update last week.

But even if a fix is pushed out, users’ phones may not receive the update straight away. Because of the way Android updates are delivered, phone companies must first approve them — a process which can take weeks.

Zimperium said that it would not be publicly releasing any details on the flaw until it was patched by Google. It cannot even update its tool to check whether phones are vulnerable to the problem it said, so it’s not possible to be sure how many have been hit by it.

The team noted that the original hack had been “a catalyst for change”. “Following our initial Stagefright announcement, industry-leading vendors made a clear statement that security updates will be provided on a monthly basis,” the team wrote.

Join our commenting forum

Join thought-provoking conversations, follow other Independent readers and see their replies

Comments

Thank you for registering

Please refresh the page or navigate to another page on the site to be automatically logged inPlease refresh your browser to be logged in