Tech

'Metaphor' Stagefright exploit exposes millions of Android devices

The newly-discovered Stagefright variant can be used to break into Samsung, LG and HTC smartphones.

Written by Charlie Osborne, Contributing Writer March 18, 2016 at 4:49 a.m. PT

Millions of Android devices are vulnerable to a new Stagefright exploit which can compromise a device in less than 20 seconds, researchers say.

According to Israel-based NorthBit, the newly-disclosed Stagefright exploit, dubbed Metaphor, can be used in attacks against Nexus 5, LG G3, HTC One and Samsung Galaxy S5 mobile devices, which potentially leaves millions of devices open for exploit.

In a paper documenting their research (.PDF), the team said they created an exploit which impacts devices running on Android versions 2.2 and 4.0, while also bypassing ASLR on versions 5.0 and 5.1. The overall aim of the project was to bypass address space layout randomization (ASLR), a protection system for system memory which prevents buffer-overflow attacks, allowing Stagefright to be exploited.

Stagefright, otherwise known as libstagefright, is an Android multimedia library which hit the headlines in 2015 after Zimperium security researcher Joshua Drake discovered a number of vulnerabilities affecting the media playback engine.

The researcher called it the "worst Android vulnerabilities discovered to date," made worse as while Google can develop and release fixes, it is up to vendors to push forward the patches -- and it is unlikely older models will be protected from this threat.

Security

The attack vector is simple: the victim only needs to be lured to a crafted page containing a malicious MPEG-4 multimedia file.

Once the visitor is in place, the video file crashes Android's media server, which resets the system. Once rebooted, malicious JavaScript hosted on the Web page forwards device data to the cyberattacker's server.

Metaphor's server then sends a crafted video file which exploits the vulnerability and gathers additional information about the device's internal protections. Yet another video file is channeled to the victim's device, which is then processed by libstagefright, infecting the smartphone with malware.

The cyberattack targets CVE-2015-3864, which allows for remote code execution, potentially leading to information leaks, surveillance and device takeovers.

The researchers provided a proof-of-concept (PoC) video below demonstrating the attack on an Android Nexus 5 smartphone, and the attack took no more than 20 seconds before the device was completely compromised.

The researchers note that roughly 23.5 percent of Android devices are versions 5.0 and 5.1, which equates to approximately 235,000,000 devices, and furthermore, 4 percent of Android versions running on devices do not have ASLR protections, which equates to approximately 40,000,000 mobile devices which could be vulnerable to exploit.

"Looking at these numbers it's hard to comprehend how many devices are potentially vulnerable," the researchers say.

Google has released a swathe of patches to mitigate the security flaw, and earlier this month, pushed forward a new Stagefright patch which tackles CVE-2016-0824, an information disclosure vulnerability in Stagefright.