The Stagefright vulnerability in Android is nothing new, however for a long time it was (mostly) harmless due to difficulties in reliably using the flaw for malicious purposes Unfortunately for Google and Android users, researchers at Isreali cyber-security firm NorthBit have developed a proof-of-concept exploit, named Metaphor, based on Stagefright that is able to reliably compromise Android devices.
The Metaphor exploit uses a set of back-and-forth communications that allow attackers to probe the defenses of a target device before attempting the compromise. When a victim visits a website that has a malicious MPEG-4 file embedded in it, it will cause Android’s built-in media server to crash, and send data on the device’s hardware to the attacker, it will then send another video file, capture additional data and finally deliver a video file that is able to compromise the device. The procedure may seem long and complicated, but in reality, Metaphor was found to be able to break into most devices within 20 seconds. Unfortunately for fans of stock Android, the attack was found to be most effectual on Nexus 5 devices running their stock firmware, but the customized versions of Android found on phones from HTC, LG and Samsung are not safe.
While this attack may pose a threat to the 275 million Android phones running versions 2.2 all the way to 5.1, devices that are running the most up-to-date version, 6.0 Marshmallow are safe. Additionally, the attack needs to be tailored to a specific set of Android hardware, so it is likely that only those running the most popular devices would be targeted for the attack, as well as many of them having already received patches specifically to defend against Stagefright. As a result, those with older Android devices may want to be careful or think about a new handset, lest they remain vulnerable to this exploit if it enters the wild.