Android has had a number of security scares over the years, but the Stagefright bug that was made public over the summer spurred Mountain View to action like never before. Patches have already rolled out for that bug, but now security firm Zimperium has announced a second round of Stagefright exploits that aren’t covered by the first patch. Zimperium researcher and VP Joshua Drake says the new Stagefright vulnerability is as dangerous as the first. The good news? Google already has patches ready to go.


Despite the scary name, Stagefright is actually the name of an exploit. It refers to the multimedia engine library in Android known as libstagefright. The new vulnerability in Stagefright is similar to the first one, but the attack vector is different. Stagefright 1.0 relied upon MMS messages to trigger processing of a malicious media file by Stagefright. This could theoretically be used to run arbitrary code on the device. The new issue involves targeting devices via web pages hosting the malicious media files (an MP3 or MP4). The effect is the same — the attacker can run code via the Stagefright library on your device.


The new Stagefright bug actually involves two system components, one of which is libstagefright. The relevant bug for this one was only introduced in Android 5.0, so the headlines claiming a billion affected devices are only telling half the story. Stagefright 2.0 involves libstagefright making a call to a library called libutils in a vulnerable way — that’s the core of the exploit. The libutils library has been in Android since 1.0, so every device has this bug. It’s possible that other system components could make a similarly dangerous API call, so it still needs to be patches ASAP. However, Stagefright 2.0 in its current form is technically only dangerous on Android 5.0 and higher.