Researchers Find New Android Stagefright Exploit

...

The Metaphor exploit, uncovered by security firm NorthBit, can be used to attack devices running Android 2.2 to 4.0; it also bypasses ASLR on version 5.0 and 5.1. Researchers found the program works best on the Nexus 5 with stock ROM, but phones like the HTC One, LG G3, or Samsung Galaxy S5 are vulnerable with just a few "slight modifications."

Exploit times vary between a few seconds and two minutes; a more sophisticated method reduces those times drastically. In NorthBit's demo (below), the whole process took about 20 seconds.

It's "hard to comprehend how many devices are [potentially] vulnerable," according to Northbit, though the firm puts that number at approximately 275 million.

The researchers say Metaphor simply requires the victim to visit a page containing a malicious MPEG-4 multimedia file—adorable cats, for example. That file then crashes the Android mediaserver, resetting the system. Once rebooted, malicious JavaScript hosted on the site forwards device data to the attacker's server. Meanwhile, the poor sap is still scrolling through furry felines.

Metaphor's server then sends a video file, which exploits the vulnerability and gathers additional information about the device, as ZDNet reported. Another video is then transmitted to the victims' handset, infecting it with malware.

Stagefright debuted in late July, when Zimperium researchers Joshua Drake discovered a bug in Google's mobile operating system that gave hackers access to people's phones just by sending a text.

At the time, about 95 percent of Android devices, or 950 million smartphones, were vulnerable, Drake said. Google and other device manufacturers—including Samsung and LG—in August unleashed a massive software update to combat it.

For more, see There's (Almost) Nothing You Can Do About Stagefright.

Categories
APPLICATIONS
0 Comment

Leave a Reply

Captcha image


RELATED BY

  • 5300c769af79e

    Got a Job Listing? Put it on Facebook

    A new Facebook feature aims to take on business social network LinkedIn.As TechCrunch reports, Facebook is experimenting with recruiting tools, including a "Jobs" tab, available to select Page administrators.
  • 5300c769af79e

    Android Auto at I/O: Coming Soon to Your Phone, Plus Waze, Hotwording, and a Concept

    The first bit of Auto news that is likely to impact you has to be the introduction of a phone mode, where your phone can become the Android Auto device.Think of it as the return of the Android car app that we had so long ago, only it’s Android Auto’s new pretty UI.
  • 5300c769af79e

    Apple Watch Apps Will Have To Run Natively

    On the wearable's one-year anniversary, Apple told developers over the weekend that all new watchOS apps submitted to the App Store must be native apps starting June 1.Based on changes in the app store Apple plans to enforce, not enough apps are taking advantage of the new capabilities.
  • 5300c769af79e

    WhatsApp Messenger (for iPhone)

    If you migrate between devices or reinstall the app, WhatsApp will conveniently prompt you to Restore Chat History.A cryptic error message was my only indication that my call wasn't being routed through WhatsApp's service.