Stagefright Vulnerability Can Compromise Android Devices In 20 Seconds Or Less

Thought the Stagefright saga was all behind us? Think again. In a new paper published by Israel's NorthBit, we're shown that Stagefright can still prove to be a serious threat to older devices, with some able to be cracked in as little as 20 seconds. If you're still toting around a Nexus 5, LG G3, HTC One, or Samsung Galaxy S5, you should take note.

Samsung Galaxy S5
Samsung's Galaxy S5, released in 2014, is affected by Metaphor

As a bit of a recap, Stagefright isn't just one bug; rather, it's an overarching vulnerability that includes a number of different bugs that affects Android devices versioned 2.2 and newer. While modern phones that still receive updates would have likely received a patch for Stagefright long ago, it doesn't take long in the mobile world for a phone to hit end-of-life status, so there remain a countless number of affected devices out there. If someone breaks through to your device via Stagefright, they could execute code remotely. What makes it truly dangerous, however, is that they could do so with escalated privileges.

This new Stagefright-derived bug has been dubbed "Metaphor", and can bypass the ASLR (address space layout randomization) protections in memory in Android 2.2 and 4.0, on the devices mentioned above. People can fall victim to the bug by visiting a webpage that has a malicious .MP4 video file on it. Loading that file will cause Android to crash and restart, which will then allow JavaScript hosted on the attacker's server of choice to run. This leads to information being gathered and another malicious video being brought in, which then accomplishes the ultimate goal of granting access to the device.

The folks at NorthBit were kind enough to produce a video showing off the attack, and you might just be surprised by how simple it is. As soon as someone visits a webpage that has an infected .MP4 file, you'll be able to see the phone begin handshaking with what NorthBit calls the "control center". To see the attack carried out so easily is a rather alarming.

An obvious question is raised from all of this: "What can you do to protect myself?" That's a tough one to answer, because it would assume that your device is still supported and able to receive updates (at which point it should have received the update already). It's ultimately up to carriers to push through these security updates, so you'd do well to give your carrier a call or shoot them an email and request information about receiving patches. If you're fine with getting your hands dirty, you could also replace the entire ROM on your device with a custom one that's patched, though that's obviously more than a reach for may mainstream users. Otherwise, if you're using one of the affected devices, we'd encourage you to exercise great caution when clicking on a link you are given, or happen to stumble on.