You might remember a few months ago we told you about a huge flaw in Android called Stagefright.
It let hackers run malicious code on your Android smartphone or tablet
by sending you a simple text message. Because of the way it worked, it
left more than 900 million gadgets worldwide vulnerable.
Google, carriers and smartphone manufacturers are still
rolling out fixes, but on the whole the problem is under control.
However, the same person who discovered the first flaw, Joshua J. Drake
of Zimperium Mobile Security, has kept digging and turned up a few more
problems in the same system that potentially affect every Android gadget
out there, which is more than a billion. So, what does Stagefright 2.0
Stagefright 2.0 actually consists of two flaws. One affects
every Android gadget from Android 1.0 to the present. The other only
works on Android 5.0 and up.
The flaws rely on how Android handles music and video
files, specifically the metadata. The metadata usually contains
information like the song or video title, album, how often you’ve played
However, if a hacker puts malicious code in that section,
and you even preview the file, Android will run the code without
checking to see what it is. It could attempt to install a data-stealing
app to try taking over your phone completely. We say “attempt” because
the Android system itself is still fairly tough to crack.
That could be one reason hackers don’t seem to be doing
much with Stagefright 2.0 yet. Also, Google already has a fix it will be
rolling out later this month, but it’s never good to take chances.
One way to minimize your risk is to only download MP3 files
that you’ve converted yourself, or that you get from a reputable store
like iTunes, Google Play or Amazon. Grabbing music from sketchy sites or
file-sharing services is not a good idea at any time, but it’s
especially bad now.
Similarly, you also should avoid downloading MP4 video
files online. That actually isn’t a problem for most people because
you’re more likely to stream video from reputable sites like YouTube or
Netflix. Unfortunately, hackers still have some tricks up their sleeve
that you need to know about.
For example, tapping a link in a phishing text or email
could send you to a malicious website with an embedded MP3 or MP4 file.
From there, it could pop up a notice asking if you want to play it with
your default media player. If you don’t stop to think you might do it.
The usual rules for phishing attacks apply here. Don’t tap
on links or download attachments from suspicious or unsolicited email
and texts. And definitely don’t let any audio or video run that you
didn’t ask to run.
Another route hackers could take is to trick you into
installing a malicious app that accesses the Stagefright code libraries.
This gives them the same access they’d get with a malicious media file.
As always, don’t install apps that aren’t from Google Play
or the Amazon App Store. Even in reputable stores, be on the lookout for
apps that are brand new and that ask for media access permissions. Want
to know more about approving permissions and how apps use them to put
your privacy at risk?
Kim Komando hosts the nation’s largest radio show about
the digital lifestyle, heard on 435 stations in the USA and globally on
American Forces Radio. Find your local radio station, read more digital
news, get the podcast and more at Komando.com.