×

How a song threatens a billion Android devices

Over a billion Android devices could be at risk of being hacked by listening to an audio file or watching videos.

A new bug has been discovered in Google's mobile operating system which allows attackers to inject malicious code into a device and potentially steal information when a person accesses a specifically crafted MP3 or MP4 file.

The vulnerability called "Stagefright 2.0" was discovered by a team of researchers at Zimperium, a mobile security firm, and is said to affect "almost every Android device" since the first version in 2008.


Attendees visit the Android booth during a Google I/O developers conference in San Francisco.
Getty Images
Attendees visit the Android booth during a Google I/O developers conference in San Francisco.

There are several ways a user could be targeted. Firstly, a hacker could try to convince a user to visit a malicious webpage and preview a music or video file. This would give the attacker an opportunity to hack a user.

A criminal could also intercept unencrypted traffic between a device and another server – also known as a man-in-the-middle attack – in order to inject the malicious code into the files being transferred.

"The vulnerability lies in the processing of metadata within the files, so merely previewing the song or video would trigger the issue," Zimperium wrote in a blog post on Thursday.


More hacks to come?

Zimperium notified the Android Security Team of the issue on August 15. A fix will be issued in the next security update for Android, scheduled for Monday. People will get the update at different times depending on the device they own since each manufacturer will bring out their own update.

Stagefright 2.0 follows on from another bug discovered earlier this year by Zimperium known as "Stagefright". This allowed attackers – armed with only your mobile number – to send you a specifically crafted media file delivered via MMS to execute a malicious code on your phone. A user wouldn't even have to take action and could be attacked while they slept.

Researchers at Zimperium said that there may be more of the same bugs to solve.

"As more and more researchers have explored various vulnerabilities that exist within the Stagefright library and associated libraries, we expect to see more vulnerabilities in the same area," the cybersecurity firm said.