Two vulnerabilities, collectively dubbed Stagefright 2.0, have been discovered in Android that could allow hackers to take over phones using MP3 and MP4 files.
Joshua J. Drake of Zimperium zLabs found two vulnerabilities which could allow specially crafted audio or visual files to execute arbitrary code in the devices.
If a user visited a website and accessed an infected file the attacker might be able to use this code to gain full access to the device.
The first, in ‘libutils’ impacts almost every Android device since the first version in 2008. The second, in ‘libstagefright’ was found to affect devices running version 5.0 and up.
Zimperium reported the vulnerability to Google and will share proof-of-concept code with members of the Zimperium Handset Alliance, but not the general public.
In a blog, Zimperium wrote that it expected to see more vulnerabilities of this kind.
"As more and more researchers have explored various vulnerabilities that exist within the Stagefright library and associated libraries, we expect to see more vulnerabilities in the same area."
SOTI, the enterprise mobility management company, commented that IT professionals needed to implement steps to prevent the vulnerability from hitting enterprises.
"Employees often adopt a more cavalier attitude to downloading and clicking links in the workplace as they assume there is robust security in place, and managing these devices is a complex challenge.
"Beyond enforcing an encryption and authentication mandate, personal devices must be containerised to keep personal usage separate and corporate data secured. Also, applications can be managed to protect employees from untrusted applications."