New vulnerability: One song can compromise all Android devices

Security researchers at Zimperium zLabs have discovered a new "Stagefright" vulnerability that could make your Android phone vulnerable simply by opening an MP3 file.

It is said that there are now several ways to exploit this vulnerability. One of the attack methods will affect almost all Android phones, because as long as the phone is running Android 1.0 and higher versions of the system released in 2008, it will be affected; the other attack methods are mainly aimed at Android 5.0 and higher versions of the system.

The attack, called the "Stagefright 2.0 attack," is related to the way the system handles metadata in MP3 or MP4 files and allows an attacker to execute remote code on a user's phone as long as the Android system on the user's phone previews a specially crafted song or video file.

It also affects third-party applications, as this vulnerability was found in the libstagefright library used by some media players. As of the time of writing, the security community has not found any real cases of attacks using this method.

There is no proof-of-concept code for the vulnerability as it has not yet been patched, but the company will update its Stagefright detection app once a solution is publicly released.

The researchers reported the vulnerability to Google on August 15 , and Google plans to release a patch to fix the vulnerability in the Nexus security bulletin in the second week of October.

Some mobile phone manufacturers such as Xiaomi, Samsung, HTC and Sony will also release upgrade patches themselves, but they have not yet disclosed the specific plans.

According to Motherboard, Android Marshmallow will incorporate the patch, but it will be limited to the latest devices.

The situation is less optimistic for older devices that no longer receive updates. The security hole may be fixed, but unless users manually flash their phones to a newer version, they could be vulnerable at any time.

Such a large-scale attack on the Internet would have catastrophic consequences because it would only require a user to visit a URL containing a malicious file, which can be easily done, such as executing a download command in a seemingly legitimate song.

As a winner of Toutiao's Qingyun Plan and Baijiahao's Bai+ Plan, the 2019 Baidu Digital Author of the Year, the Baijiahao's Most Popular Author in the Technology Field, the 2019 Sogou Technology and Culture Author, and the 2021 Baijiahao Quarterly Influential Creator, he has won many awards, including the 2013 Sohu Best Industry Media Person, the 2015 China New Media Entrepreneurship Competition Beijing Third Place, the 2015 Guangmang Experience Award, the 2015 China New Media Entrepreneurship Competition Finals Third Place, and the 2018 Baidu Dynamic Annual Powerful Celebrity.