New exploit could let hackers seize control of millions of Androids

Stage fright is back, again!

Stagefright is back, again!

Israeli researchers have created a new exploit that takes advantage of the Stagefright vulnerability found within Android last year, with the concern being that someone could remotely access an infected Android device.

Using the exploit, dubbed “Metaphor,” hackers could seize control of unprotected Android devices when users simply played a malicious video in a web browser. At least in theory.

As is always the case with these kinds of things, there needs to be a few things in the right place for this to be an issue to individual users, but even the chance that it is possible is enough of a worry. The researchers, under the name North-Bit, claim that millions of unpatched Android devices are potentially at risk. North-Bit goes on to say that the exploit is capable of bypassing Google’s security systems by simply having a user visit a URL.

Stagefright is a library that Android uses to play back video and other types of media, and it was discovered to be less than secure last year. Google set about patching the vulnerability out of existence, but with Android being Android, not everyone will have received the necessary updates to ensure their safety.

According to a paper put together by North-Bit to illustrate just how dire things may be for those with affected devices, users don’t actually need to play any infected files in order to find themselves under attack, with a malicious MPEG 4 video file simply having loaded in a web browser being enough for bad things to happen.

As illustrated by the paper, “it was claimed [the bug] was impractical to exploit in­ the wild, mainly due to the implementation of exploit mitigations in newer Android versions, specifically ASLR.” (That would be address space layout randomization, a security measure that helps protect devices from buffer-overflow attacks.)

The North-Bit team “built a working exploit affecting Android versions 2.2 ­to 4.0 and 5.0 to 5.1, while bypassing ASLR on versions 5.0 ­to 5.1 (as Android versions 2.2 to 4.0 do not implement ASLR),” according to the paper.

The full paper on Metaphor is well worth a read if you are of a technical persuasion, or simply want to be scared out of your wits. There’s also a video showing North-Bit’s proof of concept, just to drive the point home!

Here’s hoping Google’s security updates get to the people that are potentially at risk, and fast.