New Stagefright flaw puts millions of Android devices at risk

Stagefright

A security firm has discovered a new Stagefright vulnerability which allows attackers to bypass Google’s security and potentially affect millions of Android devices. The flaw lets hackers install malware and get remote access to a person’s phone.

Bugs in Stagefright, an Android media code library, first made headlines last year. Google subsequently sent out fixes for the issue and integrated a defense system termed address space layout randomization to make it harder for hackers to carry out attacks. Israeli-based company NorthBit has now managed to craft an exploit dubbed Metaphor to bypass ASLR.

NorthBit researchers say the new Stagefright vulnerability affects early Android versions with no ASLR, in addition to 5.0 and 5.1 Lollipop which make up about 23.5% of all Android devices, equaling roughly 235 million units. The firm utilize a Nexus 5 to demonstrate the damage the problem could inflict in the video below. It also claims to have executed the attack on a LG G3, Samsung Galaxy S5 and HTC One.

Also See: Stagefright 2.0 comes into being now, spreads via MP3/MP4 files

The entire operation gets done in less than 60 seconds. First, a mail or message is sent to a user which contains a malicious link to a website that hosts a video. The site crashes and resets Android’s mediaserver software. Once the system gets rebooted, the JavaScript on the page starts sending data to the hacker’s server.

The cyberattacker then sends an infected video which collects more information about the device such as its security and internal state. Finally, a third video is sent across to go for the kill, contaminating the phone with malware and allowing the attacker to remotely spy or seize control of the handset.

NorthBit’s research paper notes that the attack works best on pure Android phones like the Nexus 5. However, with slight modifications, even assaults on non-stock handsets are possible.