Stagefright is quickly becoming the bug that wouldn't die. First discovered in July, the vulnerability allowed attackers to target Android phones over text or MMS, exploiting a weakness in Android's multimedia preview function. Google, manufacturers and carriers scrambled to patch the bug, only to have another bug pop up two weeks later, requiring another round of patches. Now, three months after the initial disclosure, it's all happening again.
Zimperium security a new way to exploit Stagefright that isn't covered by existing patches, first reported by Motherboard. The new vulnerability works by encoding a malicious program into an audio file, delivered over mp3 or mp4. Once a user previews the file or visits a page where that file is embedded, Android's audio preview will activate the program, infecting the device. Even more troubling, the virus can also be deployed by an attacker on a public Wi-Fi network, potentially enabling a self-replicating or wormed version of Stagefright. Because some version of the preview function exists in most versions of Android, nearly every Android device is susceptible to the bug, although specific implementations vary from version to version.
That's particularly disconcerting since some of Android's mitigation strategies have proved to be not as effective against Stagefright as initially thought. Zimperium hasn't released a workable exploit for the new bug yet, so Google and its partners will have a head start in patching the bug, but it leaves Android users counting on carriers and manufacturers for yet another critical patch.
Google is currently working to fix the issue in the core Android code, and says a patch will be included in the October Monthly Security Update, provided to partners on September 10th and rolling out to Nexus phones on October 5th. Android Security has had no reports of active exploitation of the bug so far.
11:11AM ET: Updated with more information from the Android security team.