Metaphor – The first reliable ‘Stagefright’ exploit for Android smartphones

Android users who had thought that they were well past the critical ‘Stagefright’ with patches and updates from Google and smartphone manufacturers are in for a shock. The Stagefright vulnerability was discovered last year and had put billion+ Android smartphones at risk. However, Android security team and many smartphone manufacturers have issued patches and updates to mitigate the risks.

Seems that these updates and patches are of no use as security researchers from Northbit have managed to reproduce a successful Stagefright exploit. The researchers successfully exploited the Android-based Stagefright bug, which puts millions of Android devices at risk of being hijacked, leaving phones and tablets vulnerable to remote hacking. In a demonstration, the researchers were able to remotely hack a phone with Stagefright-based exploit.

Recently described in a report from Wired, the hack would enable hackers to gain complete access to devices’ files, which they could copy or delete, as well as access to the camera and microphone.

Israel-based research firm Northbit published a research paper this week in which it claims to have found a “proper” exploit dubbed Metaphor, using a new vulnerability in the Stagefright.

The firm’s researchers demonstrated the hack in a video using the Google Nexus 5, and have successfully replicated the exploit on a LG G3, the HTC One, and the Samsung Galaxy S5. The team was able to hack devices running Android 2.2, 4.0, 5.0, and 5.1. Thankfully, other versions of Android don’t seem to be affected by the issue. According to them, roughly 36 percent of 1.4 billion active devices running Android 5.0 Lollipop or v5.1 are vulnerable to hacking. In other words, Android users who do not have the latest security updates are vulnerable to the hack.

Stagefright itself is a vulnerability in software library, written in C++, that’s built inside the the Android operating system. The Zimperium researchers said it was susceptible to memory corruption and when a MMS message containing a video was sent to the device it could, if composed in the correct way can activate malicious code and hijack a Android smartphone.

The researchers have described a three-step process to hijack an Android device in the paper. A user is first made to visit a specially-crafted webpage that hosts a video file capable of crashing the mediaserver software on the target handset. The video file resets the mediaserver software and waits for it to restart. Then, a JavaScript on the webpage sends details about the device to the attacker’s server, which then generates another video file, sends it to the device, and brings more information such as the internal state of the device. After this, another video file is sent to the victim’s device, and executes a payload of malware, and begins spying.

Researchers say that the exploit attacks the CVE-2015-3864 bug in a “fast, reliable and stealthy” way by bypassing ASLR aka address space layout randomization, a mechanism that is designed to thwart exploit writers. In order for the security attackers to be successful in hijacking the device, they are required to perform a flow of operations.

“We managed to exploit it to make it work in the wild,” co-founder of Northbit Gil Dabah said. The research paper reads: “Breaking ASLR requires some information about the device, as different devices use slightly different configurations which may change some offsets or predictable addresses locations.

“Using the same vulnerability, it is possible to gain arbitrary pointer read to leak back to the web browser and gather information in order to break the ASLR”.

In July 2015, security firm Zimperium was the first to highlight the Stagefright vulnerability. The hack was said to be able to execute remote code on Android devices and could possibly affect up to 95 percent of Android devices.

A second critical vulnerability exploited issues in .mp3 and .mp4 files, which when opened were claimed to be able to remotely execute malicious code, was dubbed Stagefright 2.0 in October. It was estimated to affect almost all Android devices on the planet.

Google released a patch for the bug and promised regular security updates for Android phones following the publication of Stagefright’s details. However, it appears though that the company has not yet released patches for all versions of Android.

Check out the video below to see Stagefright being exploited on a Google Nexus 5.