Recently a new security bug in Android was discovered which exploited the way the operating system handled multimedia messages, attackers merely needed to send a malicious message to a target and the phone would pre-load it, meaning that the infected file would run and the malicious code creeps into the device. Google released three patches for that bug and while that’s done and dusted it has been discovered that there’s yet another way the Stagefright bug can be used to pump malicious code into an unsuspecting device.
The discovery has been made by security firm Ziperium, the very same firm that made the initial Stagefright discovery a couple of months back, it found out that attackers can use malicious audio files to do the deed.
Basically what attackers need to do is encode malware into an MP3 or Mp4 file and then send it out, Android users who tap on the downloaded file will let the operating system automatically preview the song. This triggers the malware which will then enter the device.
Almost all builds of Android have this automatic preview feature which means that more than one billion devices are susceptible to attacks using this method before Google comes out with a fix.
Google is said to be working on a fix for the Stagefright bug right now which is expected to arrive before the October security update for Android in a couple of days.
Filed in . Read more about Android, Google and Stagefright. Source: motherboard.vice