EnglishFrenchGermanItalianPortugueseRussianSpanish
Home » laptops & PC » Another gaping Android flaw could affect millions of devices
1

Another gaping Android flaw could affect millions of devices

By on March 18, 2016
stagefright-470-75.jpg

A new spin on the Stagefright flaw – which shot to fame as a gaping Android vulnerability last year – is on the scene and could potentially cause users of Google’s mobile OS a good deal of grief.

The exploit, which goes by the name of Metaphor, was revealed by Northbit, an Israeli security consultancy, and could potentially be wielded against millions of Android phones across the globe.

The exploit can be used against devices running Android versions 2.2 through to 4.0, and also Android 5.0 and 5.1 (Lollipop). Concerning the latter, it’s clever enough to bypass ASLR (Address Space Layout Randomisation – a defensive memory protection measure).

As Northbit notes, it has been claimed that Stagefright was impractical to exploit in the wild due to mitigations built into the newer versions of Android, the main pillar of which is ASLR. But it seems these defences aren’t as watertight as folks might previously have believed.

Nexus nobbled

Northbit has published a research paper detailing the exploit, and also a video showing it being used to compromise a Nexus 5 phone running Android 5.0.1, with the user in the demo getting hit simply by being lured into clicking a link to the exploit-laden website.

Apparently the security firm has also successfully leveraged the flaw against LG G3, HTC One and Samsung Galaxy S5 handsets (though slight modifications were needed to target different phones).

In its paper, Northbit concluded: “This research shows exploitation of this vulnerability is feasible. Even though a universal exploit with no prior knowledge was not achieved, because it is necessary to build lookup tables per ROM, it has been proven practical to exploit in the wild.”

Chris Eng, Vice President of Research at Veracode, commented on the issue: “With the discovery of the ‘Metaphor’ vulnerability, 2016 is the third year in a row when a serious application exploit has been discovered which could impact millions of devices.

“Patching application vulnerabilities is especially challenging for the Android community with the number of different manufactures and carriers charged with the responsibility of issuing patches to devices. As with Stagefright, we anticipate that Google will be quick to issue a patch to resolve this problem. However, we hope that we don’t see a replay of Stagefright 2.0 where many of the patches hadn’t been rolled out to end-users.”

Indeed, let’s hope that action is taken promptly, and meanwhile, if you (or your employees) use an Android device, it might be worth taking some extra caution when clicking links. Although these days, vigilance is pretty much a constant need when it comes to links (and attachments).

Via: Wired

Source: techradar.com

#Amazon #Android #Apple #Asus #camera #Galaxy #Google #Games #iPad #iPhone #Lenovo #Lumia #Laptop #Microsoft #Moto #Motorola #news #Nexus #Note #OnePlus #phone #Plus #Releases #review #Samsung #smartphone #Sony #Watch #Windows #Xiaomi #Xperia



Top Brands

Related Articles
1 Comment
  1. Reply Dr. Maurice Williamson March 19, 2016 at 5:29 am

    Where is the news? They avoid Apple bad news all the time. This site and its writers are apple-biased. Just how honest are you? But they always campaign against Android. Have you no shame? Not at all.

    Database of Abandoned iOS App Exposes Details for 198,000 Users – http://news.softpedia.com/news

    An iCloud scam that may be worse than ransomware – https://blog.malwarebytes.org/

    iPhone fingerprint sensor hacked with a finger made of clay at MWC 2016 – http://www.techworm.net/2016/0

About Dixplore

Dixplore is an online magazine about news in tech field, reviews of the latest gadgets, computers, tablets and other cool features which take place in our life.

Subscribe to NEWSLETTER

Subscribe to our news by email.