Researchers Find New Android Stagefright Exploit

...

The Metaphor exploit, uncovered by security firm NorthBit, can be used to attack devices running Android 2.2 to 4.0; it also bypasses ASLR on version 5.0 and 5.1. Researchers found the program works best on the Nexus 5 with stock ROM, but phones like the HTC One, LG G3, or Samsung Galaxy S5 are vulnerable with just a few "slight modifications."

Exploit times vary between a few seconds and two minutes; a more sophisticated method reduces those times drastically. In NorthBit's demo (below), the whole process took about 20 seconds.

It's "hard to comprehend how many devices are [potentially] vulnerable," according to Northbit, though the firm puts that number at approximately 275 million.

The researchers say Metaphor simply requires the victim to visit a page containing a malicious MPEG-4 multimedia file—adorable cats, for example. That file then crashes the Android mediaserver, resetting the system. Once rebooted, malicious JavaScript hosted on the site forwards device data to the attacker's server. Meanwhile, the poor sap is still scrolling through furry felines.

Metaphor's server then sends a video file, which exploits the vulnerability and gathers additional information about the device, as ZDNet reported. Another video is then transmitted to the victims' handset, infecting it with malware.

Stagefright debuted in late July, when Zimperium researchers Joshua Drake discovered a bug in Google's mobile operating system that gave hackers access to people's phones just by sending a text.

At the time, about 95 percent of Android devices, or 950 million smartphones, were vulnerable, Drake said. Google and other device manufacturers—including Samsung and LG—in August unleashed a massive software update to combat it.

For more, see There's (Almost) Nothing You Can Do About Stagefright.

Categories
APPLICATIONS
0 Comment

Leave a Reply

Captcha image


RELATED BY

  • 5300c769af79e

    FBI Director Raps Clinton but Recommends No Criminal Action

    Although an FBI investigation concluded that Hillary Clinton's use of a separate email system during her tenure as Secretary of State may have violated federal law, Director James B.Although the Justice Department isn't bound by the FBI recommendation against criminal prosecution, it is unlikely to disregard it.
  • 5300c769af79e

    Amazon Alexa Now Tracks Flights, Plans Trips

    Who better to brief you on the latest in DDoS attacks and prevention than the ones working on the The Kayak travel search engine is now accessible on Amazon's Alexa to let users search for and track flights.Now, instead of reaching for your smartphone to check the flight's status, you can ask Amazon Echo, which can tell you if your flight is on time or delayed.
  • 5300c769af79e

    Luminos - Astronomy Companion (for iPad)

    When I reviewed Luminos - Astronomy Companion last year, I gave this iPad app an Editors' Choice for educational astronomy apps thanks to its usefulness to a range of users, from beginning stargazers to advanced amateur astronomers.Design and FeaturesLuminos has a typical interface for a planetarium program, with most of the iPad's screen used to show a virtual view of the sky.
  • 5300c769af79e

    Get Smart With Stacey: How to Get Google Home, Smart Lights to Play Nice

    I'll soon be getting a Google Home and am ready to start diving into the world of the Connected Home.I'll be starting with connected light bulbs, so the Philips Hue lights came to mind.