You may remember Stagefright as a hugely widespread Android flaw that raised concerns over users’ security all over the world. Google finally patched Stagefright a few weeks ago, but it seems to be back for a second go. Now security researchers found a new vulnerability in how videos are processed by Google’s operating system. The way they are handled apparently can allow hackers to run their own code on portable devices.
Like the first flaw, which the company finally fixed in early August, the newly discovered attack affects almost every version of the operating system still in use – from 2010’s version 2.3 “Gingerbread” all the way to April’s version 5.1.1 “Lollipop”. And as in the first case, the security researchers have waited for the developers to fix the flaw before announcing what they found. However, again, the patch is not yet available for end-users, largely due to the fact that it takes weeks to be delivered through the handset ecosystem.
The security experts point out that with the new bug, hackers would be able to run their code with the same permissions that the mediaserver program already has as part of its normal operation. The matter is that the mediaserver program performs and has access to a lot of media-related tasks like taking pictures, reading MP4 files and recording videos. Therefore, the privacy of the Android user may be at risk. Smartphones and tablets with customized versions of Android, where the media-server component was not modified, are affected as well.