Malware alert: Stagefright flaw is back for vicious encore

Stagefright isn't dead yet!

Stagefright isn’t dead yet!

Stagefright, the massive vulnerability that affected more than 1 billion Android devices when it was discovered back in July, is back.

It’s just as dangerous as it ever was, only instead of leaving your smartphone vulnerable to attack via text message, it is now at risk from dodgy music.

Google and its hardware partners have been scrambling to eliminate the Stagefright flaw since it was found, but it seems this is one that can’t be fixed easily. Researchers have found new ways to exploit it, this time with bogus MP3 and MP4 files.

The latest bugs were discovered by Joshua Drake of Zimperium zLabs, who also found the original. Drake says the latest flaws, which are found in Android’s media playback engine Stagefright — hence the name — affect “almost every Android device” in use.

“All Android devices without the yet-to-be-released patch contain this latent issue,” Drake told Motherboard. This leaves them at risk of attack from malicious MP3 and MP4 files that might be planted in URLs they receive, or on the web.

“Merely previewing the song or video would trigger the issue,” Drake added.

This is a little different to the last Stagefright attack, which had the ability to attack your device without your knowledge while you weren’t using it. However, it is possible for this attack to be administered remotely by a person on the same Wi-Fi network.

Google has promised that fixes for these vulnerabilities will be made available to its new Nexus devices on October 5, Motherboard reports. The company has already provided partners with its patch, and it’s up to them to make it available to their own devices.