New Stagefright exploit leaves millions of Android phones open to remote attack

The Infamous Stagefright exploit, which left 95% of Android phones open to an attack last July has returned – and this time a new exploit that could hack Android phones remotely, leaving millions vulnerable.

Widely declared to be the worst Android security bug ever discovered, the original Stagefright left more than 950 million smartphones open to an attack which delivered a booby-trapped multimedia text which then allowed attackers to write code to the device and steal data from sections of the phone. 

> See also: Mobile malware: just a common annoyance or a wolf in sheep's clothing?

In October a second critical vulnerability dubbed Stagefright 2.0, was discovered which exploited issues in .mp3 and .mp4 files to remotely execute malicious code.

Now a new exploit, dubbed Metaphor, has emerged that allows an attacker to hack Android smartphones by tricking users into visiting a hacker's web page that contains a malicious multimedia file.

'Looking at these numbers it's hard to comprehend how many devices are potentially vulnerable,' say the researchers in their full report, which details how to create a fully working exploit.

A group of security researchers from Israeli security firm NorthBit showed how they hacked an Android phone remotely in just ten seconds using the bug.

After Stagefright was discovered, Google released a security update that patches it, as well as promising regular security updates for Android phones. But Google's loose relationsip with partners such as handset manufacturers and networks, plus the huge variant in devices and Android versions out there mean Google can't be as stringent with security as it would need to be to fully defeat Stagefright.

> See also: Why Google should be doing much more to secure Android

'The fact is that Android as an open platform means that there is not one single authority maintaining and securing Android handsets but rather a collection of perhaps dozens of manufacturers and telecom carriers,' said Craig Young, security researcher at security firm Tripwire.

'While Google and a limited set of handset manufacturers have now pledged to produce monthly updates, the vast majority of devices seem to be forgotten or neglected by vendors. Part of the problem is that device creators focus on revenue creating activities like designing new hardware and implementing unique features rather than maintaining safe software for previously sold devices. Sometimes the enhancements made by vendors also have the impact of making it much harder to integrate the latest security updates from theAndroid Open Source Project (AOSP).'

'Another big problem is that Android updates typically must be authorised and deployed by phone service providers, a process that is generally slow and incurs expenses for the carrier as well as the phone maker.'

Avatar photo

Ben Rossi

Ben was Vitesse Media's editorial director, leading content creation and editorial strategy across all Vitesse products, including its market-leading B2B and consumer magazines, websites, research and...

Related Topics