We’ve got a scary new Android exploit to warn you about today: the new Stagefright exploit is making headlines around the world for its ability to bypass Google’s ASLR.
Is your Android vulnerable? Probably. To scare you even further, we’re going to tell you everything you need to know about the Stagefright exploit.
Outlined in a Paper by Israeli Researchers
The exploit has not been discovered in any malware or viruses in the wild. Instead, it was outlined in a paper created by a group of Israeli researchers. These researchers were able to exploit the Stagefright vulnerability that first popped up on Android last year.
Their paper – which you can view here in PDF format – is basically a recipe for how to build your own exploit to take advantage of Stagefright.
The paper outlines a three step process that can reliably be used to hijack any Android device:
Step 1) You visit a malicious webpage that sends a video file to your Android, crashing the operating system’s media server software to reset its internal stage
Step 3) The page then sends information about the device and the user over the internet to the attacker’s private server
Photo Courtesy of ArsTechnica.com
Millions of Android Devices Are Vulnerable
The researchers claim that “millions” of Android devices are vulnerable.
Some media have even put that number as high as 95% of all Android devices in the world today.
The Exploit is Actually Called Metaphor
All good Android exploits have a catchy name, and this new exploit is no exception. The vulnerability itself is called Stagefright, while the exploit has been labeled Metaphor.
You Can Become Infected Simply By Visiting a Hacker’s Webpage
Triggering a system compromise takes no more than visiting an infected website, according to the paper.
All you need to do is open your Android browser and inadvertently navigate to a compromised page. That’s it.
What is Stagefright?
Stagefright is the vulnerability that the Metaphor exploit exploits.
Stagefright is the name of a software library used by Android to parse videos and other media.
Using this attack, attackers can send a booby-trapped message or webpage, which then executes malicious code on vulnerable Android devices.
You Don’t Have to Press Play on the Video
You may be thinking “Well I don’t press play on any videos on malicious websites online anyway, so I’m not vulnerable to Stagefright”.
Unfortunately, you don’t even have to press play on the video for it to be delivered to your Android.
Ultimately, researchers believed that Stagefright was an unrealistic exploit in the wild: it was unlikely to be compromised by real-world attacks. This latest paper shows that attacks are not only possible, but they’re also surprisingly easier than we ever thought possible.
Google has released security patches to fix the Stagefright exploit, although not all carriers and manufacturers have released their own update yet.