A new variant of the dreaded Android-based Stagefright bug has been successfully exploited by security researchers who showed a proof-of-concept of phone getting hacked remotely. The newly discovered Stagefright bug affects users running Android Lollipop, versions 5.0 and 5.1.
Israeli software security research company NorthBit has, in a detailed research paper, revealed that it has exploited the dreaded Stagefright Android bug which has, in the past, put a billion user devices at risk.
The complete research paper can be found here. [PDF]
The exploit, titled ‘Metaphor’ is shown running in a proof-of-concept video. The target is Google’s Nexus 5, a flagship device on Google’s stock line of Android products. NorthBit has also revealed that it has tested the exploit on other popular Android phones including the Samsung Galaxy S5, the LG G3 and the HTC One.
Fundamentally, the exploit can be triggered by simply visiting a malicious web page as the video shows below.
Stagefright is Back
The name ‘Stagefright’ comes from the namesake software library used by the Android system to parse together media such as videos. It is written in C++ and built inside the system.
It can be exploited by a malicious MMS, as a previous version of the Stagefright bug has shown. In this case, a webpage is shown to execute malicious code on targeted devices.
Google routinely plugs these vulnerabilities with monthly releases for Nexus phones and releases the source code for the patch. However, Android phone manufacturers who implement their own skinned versions of Android aren’t usually in a hurry to release patches and this leaves millions of devices at risk.
As things stand, about 36 percent of the 1.4 billion active Android phones and tablets are currently running Android 5 or 5.1. The numbers reveal that a little over 500 million Android devices running Lollipop are at risk.
The first Stagefright bug was discovered by a security researcher in July 2015, when it was revealed that the vulnerability left up to 95 percent of all Android devices (!) open to exploit.
The second variant of the Stagefright bug was discovered not long after in the same year, when a vulnerability could be exploited via an encoded .mp4 or .mp3 file sent using MMS. 950 million devices were left vulnerable to the bug.
Google has already released its security bulletin that includes system ROMs for Nexus devices along with the patch for all other Android devices, for the month in the first week of March. It is yet to be seen if the newest vulnerability hastens Google into releasing another patch this month.
A spokesperson for Google wasn’t immediately available for comment at the time of publishing.
Featured image from Shutterstock.