Even though Google promptly issued a patch for that particular vulnerability, the security research company that found the original bug, Zimperium, has now found two new vulnerabilities in Stagefright, enabling hackers to take over an Android device by sending the victim a specially crafted multimedia file.
Joshua Drake, a researcher at Zimperium zLabs, told Motherboard:
“All Android devices without the yet-to-be-released patch contain this latent issue.”
Unlike the original Stagefright exploit, which required sending a text message, an attacker is now more likely to try and lure the victim onto a web site, which contains the malicious multimedia file. The bad part is that the victim doesn’t even have to open the file.
“The vulnerability lies in the processing of metadata within the files, so merely previewing the song or video would trigger the issue,” Zimperium wrote in a blog post.
Though Google has acknowledged the issue, a patch is still not available. Worse, even after Google releases it, it might take some time for Android phone manufacturers to implement it, as it did with the original Stagefright bug.
The best course of action for users right now is to avoid opening multimedia files and links from unknown sources.