A new spin on the Stagefright flaw – which shot to fame as a gaping Android vulnerability last year – is on the scene and could potentially cause users of Google’s mobile OS a good deal of grief.
The exploit, which goes by the name of Metaphor, was revealed by Northbit, an Israeli security consultancy, and could potentially be wielded against millions of Android phones across the globe.
The exploit can be used against devices running Android versions 2.2 through to 4.0, and also Android 5.0 and 5.1 (Lollipop). Concerning the latter, it’s clever enough to bypass ASLR (Address Space Layout Randomisation – a defensive memory protection measure).
As Northbit notes, it has been claimed that Stagefright was impractical to exploit in the wild due to mitigations built into the newer versions of Android, the main pillar of which is ASLR. But it seems these defences aren’t as watertight as folks might previously have believed.
Northbit has published a research paper detailing the exploit, and also a video showing it being used to compromise a Nexus 5 phone running Android 5.0.1, with the user in the demo getting hit simply by being lured into clicking a link to the exploit-laden website.
Apparently the security firm has also successfully leveraged the flaw against LG G3, HTC One and Samsung Galaxy S5 handsets (though slight modifications were needed to target different phones).
In its paper, Northbit concluded: “This research shows exploitation of this vulnerability is feasible. Even though a universal exploit with no prior knowledge was not achieved, because it is necessary to build lookup tables per ROM, it has been proven practical to exploit in the wild.”
Chris Eng, Vice President of Research at Veracode, commented on the issue: “With the discovery of the ‘Metaphor’ vulnerability, 2016 is the third year in a row when a serious application exploit has been discovered which could impact millions of devices.
“Patching application vulnerabilities is especially challenging for the Android community with the number of different manufactures and carriers charged with the responsibility of issuing patches to devices. As with Stagefright, we anticipate that Google will be quick to issue a patch to resolve this problem. However, we hope that we don’t see a replay of Stagefright 2.0 where many of the patches hadn’t been rolled out to end-users.”
Indeed, let’s hope that action is taken promptly, and meanwhile, if you (or your employees) use an Android device, it might be worth taking some extra caution when clicking links. Although these days, vigilance is pretty much a constant need when it comes to links (and attachments).