Dive Brief:
-
Mobile security firm Zimperium said newly found vulnerabilities in the way Android processes media files can lead to remote code execution on almost all devices that run Android.
-
Attackers can compromise devices by tricking users into visiting maliciously-crafted Web pages.
- The flaws can be exploited when the Android system previews MP3 audio files and MP4 video files.
Dive Insight:
Zimperium researchers say the flaw effects over 1 billion Android devices.
The vulnerability allows attackers to trick users into visiting websites that exploit the flaw through links in email, instant messages or malicious advertisements used on legitimate websites. Researchers said third-party media player or instant messaging apps that rely on the Android library may also be used. The vulnerability is similar to the Stage Fright bug that affected Android devices earlier this year.
"As more and more researchers have explored various vulnerabilities that exist within the Stagefright library and associated libraries, we expect to see more vulnerabilities in the same area," the Zimperium researchers said. "Many researchers in the community have said Google replied to bugs they reported saying they were duplicate or already discovered internally."
Google said a fix will be released on Oct. 5.
