New Stagefright Bug Puts Millions of Android Devices at Risk
Security researchers have developed a way to exploit the notorious Stagefright vulnerability present in Android devices. The implementation, dubbed “Metaphor” by the researchers, is capable of gaining remote access to an Android mobile phone in as little as twenty seconds. As many as 235 million phones could be at risk, the researchers said.
Although researchers have known about the Stagefright vulnerability since last summer, it was thought to be relatively difficult to exploit, with no examples of implementations capable of working in the wild. The development of the Metaphor exploit has changed that.
Feasible in the Wild
The exploit was developed by Israel-based security firm Northbit. “This research shows exploitation of this vulnerability is feasible,” the researchers wrote in their paper. “Even though a universal exploit with no prior knowledge was not achieved, because it is necessary to build lookup tables per ROM, it has been proven practical to exploit in the wild.”
Google released a statement saying that users who have installed the October 1, 2015 security update on their phones should be protected against Metaphor. People with relatively new devices that are running Android 6.0 Marshmallow or later should also be safe from attack.
But the majority of Android users are still running Lollipop or earlier versions of the operating system on their phones, leaving potentially hundreds of millions of devices vulnerable to Metaphor attacks. “Looking at these numbers it’s hard to comprehend how many devices are potentially vulnerable,” the researchers said in the report. Although they said the exploit worked best against Nexus 5 models, it could also work against handsets built by other manufacturers.
The Metaphor attack works via a media file hosted on a Web site. The attack only requires that the target device parse a malicious media file’s metadata, such as video length, artist subtitle, or comments, rather than having to play the actual file. The attack could be launched using either a fake Web site, by hacking into a legitimate site, through free Wi-Fi networks, through QR codes, or via some ads.
The Litany of Stagefright Problems
The Stagefright vulnerability was first discovered by security firm Zimperium almost a year ago. Stagefright refers to a multimedia library used by Android. Since Zimperium’s original discovery, a number of different vulnerabilities associated with the library have been found, forcing Google to release a number of different security updates.
That litany of problems is the very reason Northbit decided to focus on Stagefright, the company said. “The reason to keep researching this library is because it has proven to be very vulnerable in the past (multiple bugs and bad code), affects numerous devices and has many good potential attack vectors: mms (stealthy), instant messaging (automatic), Web browser (minimaltono user interaction) and more,” the firm said.
Although the exploit is really just a proof-of-concept, Northbit said that with additional research it should be possible to convert Metaphor into an even more generic exploit.