PCMag editors select and review products independently. If you buy through affiliate links, we may earn commissions, which help support our testing.

PCMag UK

Stagefright 2.0 Targets Nearly Every Single Android Device

Angela Moscaritolo
 & Angela Moscaritolo Managing Editor, Consumer Electronics

Our team tests, rates, and reviews more than 1,500 products each year to help you make better buying decisions and get more from technology.

Our Expert
LOOK INSIDE PC LABS HOW WE TEST
65 EXPERTS
43 YEARS
41,500+ REVIEWS

If you thought you heard the last of the Stagefright bug back in August, think again.

Less than two months after Google tackled the vulnerability with the "world's largest software update," the researchers who first disclosed the flaw announced they have discovered another serious, widespread threat to Android devices.

"Meet Stagefight 2.0, a set of two vulnerabilities that manifest when processing specially crafted MP3 audio or MP4 video files," mobile security firm Zimperium wrote in a blog post.

The first vulnerability of the two impacts nearly every single Android device since version 1.0, released in 2008, the researchers said. Together, the two bugs can allow an attacker to execute arbitrary code on an affected device via specially crafted MP3 or MP4 files.

The researchers found ways to exploit the flaw in devices running Android 5.0 and later, but said older devices may be impacted as well via third-party apps like media players and instant messengers that are using the vulnerable library, or other carrier functionality pre-loaded onto the device. The bug apparently lies in the way metadata within files is processed, "so merely previewing the song or video would trigger the issue."

The flaw would most likely be exploited via the Web browser after an attacker convinced an unsuspecting user to visit a malicious URL, such as a mobile spear phishing site or malicious ad campaign.

Zimperium said it notified Google's Android Security Team about the issue on Aug. 15, and they "responded quickly and moved to remediate," though a patch is not yet available. The security firm said it won't share a proof-of-concept exploit with the general public, but will update its Stagefright Detector app to identify the flaw once Google issues a patch.

"We encourage vendors to update their Android devices to incorporate the fix as soon as possible," Zimperium wrote.

Meanwhile, the company warned that this isn't the last you'll hear of Stagefright. "As more and more researchers have explored various vulnerabilities that exist within the Stagefright library and associated libraries, we expect to see more vulnerabilities in the same area," Zimperium wrote. "Many researchers in the community have said Google has replied to their reported bugs saying that they were duplicate or already discovered internally."

Last month, Zimperium published details about the initial Stagefright exploit. Making the code available to the general public lets "security teams, administrators, and penetration testers alike...test whether or not systems remain vulnerable," Zimperium said.

About Our Expert

Angela Moscaritolo

Angela Moscaritolo

Managing Editor, Consumer Electronics

My Experience

I'm PCMag's managing editor for consumer electronics, overseeing an experienced team of analysts covering smart home, home entertainment, wearables, fitness and health tech, and various other product categories. I have been with PCMag for more than 10 years, and in that time have written more than 6,000 articles and reviews for the site. I previously served as an analyst focused on smart home and wearable devices, and before that I was a reporter covering consumer tech news. I'm also a yoga instructor, and have been actively teaching group and private classes for nearly a decade. 

Prior to joining PCMag, I was a reporter for SC Magazine, focusing on hackers and computer security. I earned a BS in journalism from West Virginia University, and started my career writing for newspapers in New Jersey, Pennsylvania, and West Virginia.

The Technology I Use

My little Florida beach bungalow is brimming with smart home tech. I have a smart speaker or display in every room, allowing me to control other connected devices by voice. The Nest Hub on my bedside table lets me set wake-up alarms, control my smart light bulbs, and set the temperature on my smart thermostat. I use the Amazon Echo Show 8 on my kitchen counter to browse recipes, reorder protein powder, check the weather, and watch the news while I do dishes. 

Because I suffer from allergies, air purifiers are essential. My favorite model is the Dyson Purifier Cool TP07, which doubles as a fan and continuously sends indoor pollution data to its companion mobile app. 

My pitbull Bradley sheds, so a good robot vacuum is a must. I currently use a premium Ecovacs Deebot that can both vacuum and mop, empty its own dustbin, and wash its own mop cloth. 

For fitness, I like to mix up my routine with cycling, indoor rowing, running, and strength training in addition to yoga. I take classes on the Tonal 2 smart strength training machine, I row indoors on an Aviron machine, and track my beach runs with an Apple Watch while listening to music on my Apple AirPods Pro. On the weekends, I love riding e-bikes like the rugged, beach-friendly Aventon Aventure for fun and fitness.

My job involves a lot of virtual meetings, so a quality webcam, microphone, and ring light are important. I use the Jabra PanaCast 20 webcam, the Elgato Wave: 3 microphone, and a Yesker tripod ring light. 

As for my preferred phone platform, I'm an iPhone person, but I've also extensively used Android for product testing.

Read the latest from Angela Moscaritolo

Read full bio