Less than two months after Google and several Android smartphone manufacturers released a security update to patch the Stagefright bug that affected about a billion Android-powered devices, security experts are warning about Stagefright 2.0. The newly discovered bug also affects all Android devices running 5.1 or below, including the devices that have had the original Stagefright bug patched.
Unlike the first Stagefright bug that allows an attacker to take over an Android device by sending an MMS message, the two Stagefright 2.0 vulnerabilities uncovered allow an attacker to cripple the device using mp3 (audio) or mp4 (video) files.
If a user visits a website that hosts an infected song or video file and previews the said media content, the vulnerability in Android operating system allows an attacker to gain access to the device and run remote code. An attacker could attain full access to a victim's device, and install malicious programs as well as glean personal information from it.
"The first vulnerability (in libutils) impacts almost every Android device since version 1.0 released in 2008. We found methods to trigger that vulnerability in devices running version 5.0 and up using the second vulnerability (in libstagefright)," wrote Zimperium, the security firm which had also discovered the original Stagefright vulnerability.
The new bug is even more alarming as it doesn't require a lot information to take over an Android device. The first version of Stagefright required an attacker to know your mobile number of the victim, as a text was needed to be sent your device. Due to its nature, the new bug doesn't need an attacker to know your mobile number.
(Also See: Google's Android Stagefright Security Patch Is Flawed, Says Researcher)
Google was notified about the bug in August, and the company flagged it as a critical vulnerability. "This issue is rated as a critical severity due to the possibility of remote code execution as the privileged mediaserver service. The mediaserver service has access to audio and video streams as well as access to privileges that third party apps cannot normally access," it said.
Google is yet to offer a patch to Nexus smartphones. The company's partnered smartphone manufacturers are also yet to offer an update to squash the bug. Samsung and Google in August had promised to offer monthly security updates. Until the patch arrives on your device, you're advised not to preview an audio or video file on an untrusted website.
Catch the latest from the Consumer Electronics Show on Gadgets 360, at our CES 2026 hub.