It's BACK – Stagefright 2.0: Zillions of Android gadgets can be hijacked by MP3s, movie files

Pop tunes pop phones


Updated More than a billion Android phones, tablets and other gadgets can be hijacked by merely previewing MP3 music or MP4 video files.

Booby-trapped songs and vids downloaded from the web or emails can potentially compromise vulnerable devices, and install spyware, password-stealing malware, and so on.

This is all thanks to two remote-code execution flaws billed as the second iteration of the original Stagefright vulnerability.

Zimperium researcher Joshua J Drake found the pair of Android security bugs (CVE-2015-3876 in libstagefright, and CVE-2015-6602 in libutils), and reported them to Google. We're told they will be patched in an upcoming over-the-air update to people. The flaws are present in all versions of Android in use.

There's more bad news – we're told Google has already pushed out a fix for the most critical hole to the latest Android phones. This means criminals could well be studying the changes to cook up malware-laden MP3s to infect devices that cannot be patched, or get their patches late.

"The first, and most critical issue, was pushed to AOSP nearly immediately despite an embargo," Zimperium told Vulture South.

"Good guys and bad guys alike scour open source projects to find recently patched security issues – patching an open source software project without providing an update puts users at risk, if even only for a matter of weeks."

Thanks to the fragmented state of Android – patches have to be slowly fed from Google to hardware manufacturers and out to people via mobile carriers – just half of all affected users, and possibly far fewer, stand any hope of receiving a fix.

Without the patch, phones and other gadgets running Android can be potentially hijacked and wrecked by software nasties hidden in MP3 or MP4 files.

Zimperium hacker Zuk Avraham said the 40 per cent of Android users on version 4.4, aka KitKat, may receive patches along with the 20 per cent running the version 5, aka Lollipop, since Google slung out patches in this way when it fixed the first first Stagefright hole (CVE-2015-1538) in July.

"While we have no specific information about what devices will receive fixes, we believe Android devices running Android KitKat 4.4 and later will receive updates," Avraham said.

"However, since Android 6 is due to release next week as well, it's possible that only 5.0 and 6.0 devices will receive updates."

Google was not immediately available for comment.

That reasoning suggests a best-case scenario where 40 per cent of users running rather old Android phones are unpatched, and a worst case where somewhere around 70 or 80 per cent are unpatched, depending on uptake of Android 6.

Déjà vu

Stagefright 2.0 vulnerabilities are triggered when specially crafted MP3 audio or MP4 video files are scanned by software within Android. These files can be downloaded from the web, or from phishing emails, and allow arbitrary code smuggled within the media to execute.

The Zimperium guys have produced roof-of-concept exploit code, but will only share it with some customers.

Google was notified of the flaws on 15 August.

Android versions as of September.

Android versions as of September this year

New Android phones running Lollipop or later will be instantly hosed by any music or videos exploiting the vulnerable Stagefright library, the researchers said. People owning the 20 per cent of devices running Lollipop or later are probably wealthier than others, and therefore more attractive targets.

While most users run KitKat, about 30 per cent sport Jelly Bean versions 4.1 to 4.3.1. Those latter luddites can still be hosed through malware that taps Android's libutils.

The first Stagefright hole revealed in July demonstrated how remote code execution could be obtained in a similar way by sending a poisoned MMS. It required no user interaction for users on Google Hangouts. ®

Updated to add

Google has been in touch to say the bugs will be patched in this month's batch of security fixes for Android, due out this Monday. People installing Android by hand from ASOP, and Nexus owners, will get the update from October 5. Everyone else will have to wait for their hardware maker and carrier to issue the patches, if at all.

The web giant is also not aware of anyone exploiting the flaws – but that will change as malware writers study the open-source patches, we reckon.

Broader topics


Other stories you might like

  • Symantec: More malware operators moving in to exploit Follina
    Meanwhile Microsoft still hasn't patched the fatal flaw

    While enterprises are still waiting for Microsoft to issue a fix for the critical "Follina" vulnerability in Windows, yet more malware operators are moving in to exploit it.

    Microsoft late last month acknowledged the remote code execution (RCE) vulnerability – tracked as CVE-2022-30190 – but has yet to deliver a patch for it. The company has outlined workarounds that can be used until a fix becomes available.

    In the meantime, reports of active exploits of the flaw continue to surface. Analysts with Proofpoint's Threat Insight team earlier this month tweeted about a phishing campaign, possibly aligned with a nation-state targeting US and European Union agencies, which uses Follina. The Proofpoint researchers said the malicious spam messages were sent to fewer than 10 Proofpoint product users.

    Continue reading
  • Now Windows Follina zero-day exploited to infect PCs with Qbot
    Data-stealing malware also paired with Black Basta ransomware gang

    Miscreants are reportedly exploiting the recently disclosed critical Windows Follina zero-day flaw to infect PCs with Qbot, thus aggressively expanding their reach.

    The bot's operators are also working with the Black Basta gang to spread ransomware in yet another partnership in the underground world of cyber-crime, it is claimed.

    This combination of Follina exploitation and its use to extort organizations makes the malware an even larger threat for enterprises. Qbot started off as a software nasty that raided people's online bank accounts, and evolved to snoop on user keystrokes and steal sensitive information from machines. It can also deliver other malware payloads, such as backdoors and ransomware, onto infected Windows systems, and forms a remote-controllable botnet.

    Continue reading
  • How refactoring code in Safari's WebKit resurrected 'zombie' security bug
    Fixed in 2013, reinstated in 2016, exploited in the wild this year

    A security flaw in Apple's Safari web browser that was patched nine years ago was exploited in the wild again some months ago – a perfect example of a "zombie" vulnerability.

    That's a bug that's been patched, but for whatever reason can be abused all over again on up-to-date systems and devices – or a bug closely related to a patched one.

    In a write-up this month, Maddie Stone, a top researcher on Google's Project Zero team, shared details of a Safari vulnerability that folks realized in January this year was being exploited in the wild. This remote-code-execution flaw could be abused by a specially crafted website, for example, to run spyware on someone's device when viewed in their browser.

    Continue reading
  • Cisco warns of security holes in its security appliances
    Bugs potentially useful for rogue insiders, admin account hijackers

    Cisco has alerted customers to another four vulnerabilities in its products, including a high-severity flaw in its email and web security appliances. 

    The networking giant has issued a patch for that bug, tracked as CVE-2022-20664. The flaw is present in the web management interface of Cisco's Secure Email and Web Manager and Email Security Appliance in both the virtual and hardware appliances. Some earlier versions of both products, we note, have reached end of life, and so the manufacturer won't release fixes; it instead told customers to migrate to a newer version and dump the old.

    This bug received a 7.7 out of 10 CVSS severity score, and Cisco noted that its security team is not aware of any in-the-wild exploitation, so far. That said, given the speed of reverse engineering, that day is likely to come. 

    Continue reading
  • If you're using older, vulnerable Cisco small biz routers, throw them out
    Severe security flaw won't be fixed – as patches released this week for other bugs

    If you thought you were over the hump with Patch Tuesday then perhaps think again: Cisco has just released fixes for a bunch of flaws, two of which are not great.

    First on the priority list should be a critical vulnerability in its enterprise security appliances, and the second concerns another critical bug in some of its outdated small business routers that it's not going to fix. In other words, junk your kit or somehow mitigate the risk.

    Both of these received a CVSS score of 9.8 out of 10 in severity. The IT giant urged customers to patch affected security appliances ASAP if possible, and upgrade to newer hardware if you're still using an end-of-life, buggy router. We note that miscreants aren't actively exploiting either of these vulnerabilities — yet.

    Continue reading
  • CISA and friends raise alarm on critical flaws in industrial equipment, infrastructure
    Nearly 60 holes found affecting 'more than 30,000' machines worldwide

    Updated Fifty-six vulnerabilities – some deemed critical – have been found in industrial operational technology (OT) systems from ten global manufacturers including Honeywell, Ericsson, Motorola, and Siemens, putting more than 30,000 devices worldwide at risk, according to private security researchers. 

    Some of these vulnerabilities received CVSS severity scores as high as 9.8 out of 10. That is particularly bad, considering these devices are used in critical infrastructure across the oil and gas, chemical, nuclear, power generation and distribution, manufacturing, water treatment and distribution, mining and building and automation industries. 

    The most serious security flaws include remote code execution (RCE) and firmware vulnerabilities. If exploited, these holes could potentially allow miscreants to shut down electrical and water systems, disrupt the food supply, change the ratio of ingredients to result in toxic mixtures, and … OK, you get the idea.

    Continue reading
  • Halfords suffers a puncture in the customer details department
    I like driving in my car, hope my data's not gone far

    UK automobile service and parts seller Halfords has shared the details of its customers a little too freely, according to the findings of a security researcher.

    Like many, cyber security consultant Chris Hatton used Halfords to keep his car in tip-top condition, from tires through to the annual safety checks required for many UK cars.

    In January, Hatton replaced a tire on his car using a service from Halfords. It's a simple enough process – pick a tire online, select a date, then wait. A helpful confirmation email arrived with a link for order tracking. A curious soul, Hatton looked at what was happening behind the scenes when clicking the link and "noticed some API calls that seemed ripe for an IDOR" [Insecure Direct Object Reference].

    Continue reading
  • Emotet malware gang re-emerges with Chrome-based credit card heistware
    Crimeware groups are re-inventing themselves

    The criminals behind the Emotet botnet – which rose to fame as a banking trojan before evolving into spamming and malware delivery – are now using it to target credit card information stored in the Chrome web browser.

    Once the data – including the user's name, the card's numbers and expiration information – is exfiltrated, the malware will send it to command-and-control (C2) servers that are different than the one that the card stealer module uses, according to researchers with cybersecurity vendor Proofpoint's Threat Insight team.

    The new card information module is the latest illustration of Emotet's Lazarus-like return. It's been more than a year since Europol and law enforcement from countries including the United States, the UK and Ukraine tore down the Emotet actors' infrastructure in January 2021 and – they hoped – put the malware threat to rest.

    Continue reading
  • Microsoft Defender goes cross-platform for the masses
    Redmond's security brand extended to multiple devices without stomping on other solutions

    Microsoft is extending the Defender brand with a version aimed at families and individuals.

    "Defender" has been the company's name of choice for its anti-malware platform for years. Microsoft Defender for individuals, available for Microsoft 365 Personal and Family subscribers, is a cross-platform application, encompassing macOS, iOS, and Android devices and extending "the protection already built into Windows Security beyond your PC."

    The system comprises a dashboard showing the status of linked devices as well as alerts and suggestions.

    Continue reading
  • HelloXD ransomware bulked up with better encryption, nastier payload
    Russian-based group doubles the extortion by exfiltrating the corporate data before encrypting it.

    Windows and Linux systems are coming under attack by new variants of the HelloXD ransomware that includes stronger encryption, improved obfuscation and an additional payload that enables threat groups to modify compromised systems, exfiltrate files and execute commands.

    The new capabilities make the ransomware, first detected in November 2021 - and the developer behind it even more dangerous - according to researchers with Palo Alto Networks' Unit 42 threat intelligence group. Unit 42 said the HelloXD ransomware family is in its initial stages but it's working to track down the author.

    "While the ransomware functionality is nothing new, during our research, following the lines, we found out the ransomware is most likely developed by a threat actor named x4k," the researchers wrote in a blog post.

    Continue reading

Biting the hand that feeds IT © 1998–2022