zLabs VP of Research Joshua J. Drake has discovered yet another security issue on ther Android OS, which could allow attacks on more than one billion Android devices by hiding exploit code in MP3 and MP4 files. The same researchers had discovered scores of vulnerabilities in the Stagefright media playback tool in August . Going over the Stagefright code one more time, Drake and Zuk Avraham found further issues, dubbing them "Stagefright 2".

Stagefright 2.0 is a set of two vulnerabilities that manifest when processing specially crafted MP3 audio or MP4 video files. The first vulnerability (in libutils) impacts almost every Android device since version 1.0 released in 2008. The researchers found methods to trigger that vulnerability in devices running version 5.0 and up using the second vulnerability (in libstagefright). Google assigned CVE-2015-6602 to vulnerability in libutils.

The issue could allow remote code execution (RCE) via libstagefright on Android 5.0 and later. Older devices may be also impacted if the vulnerable function in libutils is used (using third party apps, vendor or carrier functionality pre-loaded to the phone).

The vulnerability lies in the processing of metadata within the files, so merely previewing the song or video would trigger the issue. Since the primary attack vector of MMS has been removed in newer versions of Google’s Hangouts and Messenger apps, the likely attack vector would be via the Web browser.

An attacker would try to convince an unsuspecting user to visit a URL pointing at an attacker controlled Web site (e.g., mobile spear-phishing or malicious ad campaign). An attacker on the same network could also inject the exploit using common traffic interception techniques (MITM) to unencrypted network traffic destined for the browser. 3rd party apps (Media Players, Instant Messengers, etc.) could also trigger an attack if they usethe vulnerable library.

Zimperium's team has notified the Android Security Team of this issue on August 15th. They assigned CVE-2015-6602 to the libutils issue but have yet to provide us with a CVE number to track the second issue.