Hacked: Hacking Finance

Video: Stagefright Returns; 500 Million Android Devices at Risk


Samburaj Das

Samburaj Das

Samburaj is the contributing editor at Hacked and keeps tabs on science, technology and cyber security.


Alleged FBI Hacker Lauri Love Ordered to US Extradition by UK Home Secretary 15th November, 2016

The Largest Breach of 2016: 412 Million FriendFinder Accounts Exposed 14th November, 2016


Video: Stagefright Returns; 500 Million Android Devices at Risk

Posted on .

A new variant of the dreaded Android-based Stagefright bug has been successfully exploited by security researchers who showed a proof-of-concept of phone getting hacked remotely. The newly discovered Stagefright bug affects users running Android Lollipop, versions 5.0 and 5.1.

// -- Discuss and ask questions in our community on Workplace. Don't have an account? Send Jonas Borchgrevink an email -- //

Israeli software security research company NorthBit has, in a detailed research paper, revealed that it has exploited the dreaded Stagefright Android bug which has, in the past, put a billion user devices at risk.

The complete research paper can be found here. [PDF]

The exploit, titled ‘Metaphor’ is shown running in a proof-of-concept video. The target is Google’s Nexus 5, a flagship device on Google’s stock line of Android products. NorthBit has also revealed that it has tested the exploit on other popular Android phones including the Samsung Galaxy S5, the LG G3 and the HTC One.

Fundamentally, the exploit can be triggered by simply visiting a malicious web page as the video shows below.

Stagefright is Back

The name ‘Stagefright’ comes from the namesake software library used by the Android system to parse together media such as videos. It is written in C++ and built inside the system.

It can be exploited by a malicious MMS, as a previous version of the Stagefright bug has shown. In this case, a webpage is shown to execute malicious code on targeted devices.

Google routinely plugs these vulnerabilities with monthly releases for Nexus phones and releases the source code for the patch. However, Android phone manufacturers who implement their own skinned versions of Android aren’t usually in a hurry to release patches and this leaves millions of devices at risk.

As things stand, about 36 percent of the 1.4 billion active Android phones and tablets are currently running Android 5 or 5.1. The numbers reveal that a little over 500 million Android devices running Lollipop are at risk.

The first Stagefright bug was discovered by a security researcher in July 2015, when it was revealed that the vulnerability left up to 95 percent of all Android devices (!) open to exploit.

The second variant of the Stagefright bug was discovered not long after in the same year, when a vulnerability could be exploited via an encoded .mp4 or .mp3 file sent using MMS. 950 million devices were left vulnerable to the bug.

Google has already released its security bulletin that includes system ROMs for Nexus devices along with the patch for all other Android devices, for the month in the first week of March. It is yet to be seen if the newest vulnerability hastens Google into releasing another patch this month.

A spokesperson for Google wasn’t immediately available for comment at the time of publishing.

Featured image from Shutterstock.

Important: Never invest money you can't afford to lose. Always do your own research and due diligence before placing a trade. Read our Terms & Conditions here.

Feedback or Requests?


Samburaj Das

Samburaj Das

Samburaj is the contributing editor at Hacked and keeps tabs on science, technology and cyber security.

There are no comments.

View Comments (0) ...
Hacking can pay. Just ask Iraqi-born hacker Mustafa Al-Bassam who was…