The Metaphor exploit, uncovered by security firm NorthBit, can be used to attack devices running Android 2.2 to 4.0; it also bypasses ASLR on version 5.0 and 5.1. Researchers found the program works best on the Nexus 5 with stock ROM, but phones like the HTC One, LG G3, or Samsung Galaxy S5 are vulnerable with just a few "slight modifications."
Exploit times vary between a few seconds and two minutes; a more sophisticated method reduces those times drastically. In NorthBit's demo (below), the whole process took about 20 seconds.
It's "hard to comprehend how many devices are [potentially] vulnerable," according to Northbit, though the firm puts that number at approximately 275 million.
Metaphor's server then sends a video file, which exploits the vulnerability and gathers additional information about the device, as ZDNet reported. Another video is then transmitted to the victims' handset, infecting it with malware.
Stagefright debuted in late July, when Zimperium researchers Joshua Drake discovered a bug in Google's mobile operating system that gave hackers access to people's phones just by sending a text.
At the time, about 95 percent of Android devices, or 950 million smartphones, were vulnerable, Drake said. Google and other device manufacturers—including Samsung and LG—in August unleashed a massive software update to combat it.
For more, see There's (Almost) Nothing You Can Do About Stagefright.