New Stagefright Bug Puts Millions of Android Devices at Risk

Security researchers have developed a way to exploit the notorious Stagefright vulnerability present in Android devices. The implementation, dubbed ?EU?Metaphor?EU? by the researchers, is capable of gaining remote access to an Android mobile phone in as little as twenty seconds. As many as 235 million phones could be at risk, the researchers said.

Although researchers have known about the Stagefright vulnerability since last summer, it was thought to be relatively difficult to exploit, with no examples of implementations capable of working in the wild. The development of the Metaphor exploit has changed that.

Feasible in the Wild

The exploit was developed by Israel-based security firm Northbit. ?EU?This research shows exploitation of this vulnerability is feasible,?EU? the researchers wrote in their paper. ?EU?Even though a universal exploit with no prior knowledge was not achieved, because it is necessary to build lookup tables per ROM, it has been proven practical to exploit in the wild.?EU?

Google released a statement saying that users who have installed the October 1, 2015 security update on their phones should be protected against Metaphor. People with relatively new devices that are running Android 6.0 Marshmallow or later should also be safe from attack.

But the majority of Android users are still running Lollipop or earlier versions of the operating system on their phones, leaving potentially hundreds of millions of devices vulnerable to Metaphor attacks. ?EU?Looking at these numbers it?EU?s hard to comprehend how many devices are potentially vulnerable,?EU? the researchers said in the report. Although they said the exploit worked best against Nexus 5 models, it could also work against handsets built by other manufacturers.

The Metaphor attack works via a media file hosted on a Web site. The attack only requires that the target device parse a malicious media file?EU?s metadata, such as video length, artist subtitle, or...

Comments are closed.