Thought the Stagefright saga was all behind us? Think again. In a new paper published by Israel's NorthBit, we're shown that Stagefright can still prove to be a serious threat to older devices, with some able to be cracked in as little as 20 seconds. If you're still toting around a Nexus 5, LG G3, HTC One, or Samsung Galaxy S5, you should take note.
Samsung's Galaxy S5, released in 2014, is affected by Metaphor
As a bit of a recap, Stagefright isn't just one bug; rather, it's an overarching vulnerability that includes a number of different bugs that affects Android devices versioned 2.2 and newer. While modern phones that still receive updates would have likely received a patch for Stagefright long ago, it doesn't take long in the mobile world for a phone to hit end-of-life status, so there remain a countless number of affected devices out there. If someone breaks through to your device via Stagefright, they could execute code remotely. What makes it truly dangerous, however, is that they could do so with escalated privileges.
The folks at NorthBit were kind enough to produce a video showing off the attack, and you might just be surprised by how simple it is. As soon as someone visits a webpage that has an infected .MP4 file, you'll be able to see the phone begin handshaking with what NorthBit calls the "control center". To see the attack carried out so easily is a rather alarming.
An obvious question is raised from all of this: "What can you do to protect myself?" That's a tough one to answer, because it would assume that your device is still supported and able to receive updates (at which point it should have received the update already). It's ultimately up to carriers to push through these security updates, so you'd do well to give your carrier a call or shoot them an email and request information about receiving patches. If you're fine with getting your hands dirty, you could also replace the entire ROM on your device with a custom one that's patched, though that's obviously more than a reach for may mainstream users. Otherwise, if you're using one of the affected devices, we'd encourage you to exercise great caution when clicking on a link you are given, or happen to stumble on.