Dear Visitor,

Our system has found that you are using an ad-blocking browser add-on.

We just wanted to let you know that our site content is, of course, available to you absolutely free of charge.

Our ads are the only way we have to be able to bring you the latest high-quality content, which is written by professional journalists, with the help of editors, graphic designers, and our site production and I.T. staff, as well as many other talented people who work around the clock for this site.

So, we ask you to add this site to your Ad Blocker’s "white list" or to simply disable your Ad Blocker while visiting this site.

Continue on this site freely
You are here: Home / Data Security / New Android Stagefright Bug Found
New Stagefright Bug Puts Millions of Android Devices at Risk
New Stagefright Bug Puts Millions of Android Devices at Risk
By Jef Cozza / CRM Daily Like this on Facebook Tweet this Link thison Linkedin Link this on Google Plus
Security researchers have developed a way to exploit the notorious Stagefright vulnerability present in Android devices. The implementation, dubbed “Metaphor” by the researchers, is capable of gaining remote access to an Android mobile phone in as little as twenty seconds. As many as 235 million phones could be at risk, the researchers said.

Although researchers have known about the Stagefright vulnerability since last summer, it was thought to be relatively difficult to exploit, with no examples of implementations capable of working in the wild. The development of the Metaphor exploit has changed that.

Feasible in the Wild

The exploit was developed by Israel-based security firm Northbit. “This research shows exploitation of this vulnerability is feasible,” the researchers wrote in their paper. “Even though a universal exploit with no prior knowledge was not achieved, because it is necessary to build lookup tables per ROM, it has been proven practical to exploit in the wild.”

Google released a statement saying that users who have installed the October 1, 2015 security update on their phones should be protected against Metaphor. People with relatively new devices that are running Android 6.0 Marshmallow or later should also be safe from attack.

But the majority of Android users are still running Lollipop or earlier versions of the operating system on their phones, leaving potentially hundreds of millions of devices vulnerable to Metaphor attacks. “Looking at these numbers it’s hard to comprehend how many devices are potentially vulnerable,” the researchers said in the report. Although they said the exploit worked best against Nexus 5 models, it could also work against handsets built by other manufacturers.

The Metaphor attack works via a media file hosted on a Web site. The attack only requires that the target device parse a malicious media file’s metadata, such as video length, artist subtitle, or comments, rather than having to play the actual file. The attack could be launched using either a fake Web site, by hacking into a legitimate site, through free Wi-Fi networks, through QR codes, or via some ads.

The Litany of Stagefright Problems

The Stagefright vulnerability was first discovered by security firm Zimperium almost a year ago. Stagefright refers to a multimedia library used by Android. Since Zimperium’s original discovery, a number of different vulnerabilities associated with the library have been found, forcing Google to release a number of different security updates.

That litany of problems is the very reason Northbit decided to focus on Stagefright, the company said. “The reason to keep researching this library is because it has proven to be very vulnerable in the past (multiple bugs and bad code), affects numerous devices and has many good potential attack vectors: mms (stealthy), instant messaging (automatic), Web browser (minimal­to­no user interaction) and more,” the firm said.

Although the exploit is really just a proof-of-concept, Northbit said that with additional research it should be possible to convert Metaphor into an even more generic exploit.

Tell Us What You Think


Like Us on FacebookFollow Us on Twitter
© Copyright 2018 NewsFactor Network. All rights reserved. Member of Accuserve Ad Network.