New vulnerabilities discovered in Android

    Two new 0day vulnerabilities were discovered in the Google Android mobile OS that allow attackers to execute code on a user's device using specially crafted MP3 or MP4 files. A pair of these vulnerabilities CVE-2015-6602 and CVE-2015-3876 belong to the Remote Code Executon (RCE) type and are called Stagefright 2.0, which is similar to the previous Stagefright vulnerabilities that Google fixed earlier as part of the monthly update packages [ 1 , 2 ].

    Vulnerabilities are present in Android system components with the names libutils and libstagefright, they allow the exploit to work with maximum permissions on the device, gaining full control over it. This allows attackers to install malware on it and steal user confidential information.

    The main vector of attack using these vulnerabilities is a mobile web browser, which can allow the user to play a deleted media file. Such an operation is enough to exploit these vulnerabilities, since the original Stagefright vulnerabilities were already closed by Google earlier and attackers cannot rely on sending MMS messages and automatically exploiting. In this case, they need in one way or another to lure the user to a website with malicious content. All versions of this mobile OS are vulnerable to vulnerabilities.

    The corresponding update to fix these vulnerabilities has not yet been released, but Google promises to fix them this month, also as part of a monthly set of updates. A list of released Android security bulletins can be found at this link . We recommend that users do not click on phishing links from SMS text messages or e-mail messages, or visit suspicious resources where they are invited to listen to the proposed content.

    be secure.

    Also popular now: