The mother of all android vulnerabilities is back again. Last year, the stagefright bug had put some 950 million android phones at risk of hacking. And now millions of android devices are at risk again. A group of Israeli researchers claim that they have found a new way to exploit the vulnerability.
What is Stagefright?
“Stagefright” is the name of the media library—a portion of Android’s open source code—in which the bugs were found. It’s obviously a great bug name, too. The original stagefright vulnerability was discovered by the researchers at Zimperium. Google has since issued multiple patches and fixes to the stagefright vulnerability.
Metaphor - A (real) real life Stagefright exploit
The research company NorthBit, based in Israel, published a paper 'Metaphor' - that's the name of their stagefright implementation. The paper presents the research results, further details the vulnerability’s limitations and depicts a way to bypass ASLR as well as future research suggestions. They present a more thorough research of libstagefright and new techniques used to bypass ASLR.
The company also said that the exploit works best on Nexus 5 with stock ROM. It was also tested on HTC One, LG G3 and Samsung S5, however exploitation is slightly different between different vendors.
The team built a working exploit affecting Android versions 2.2 - 4.0 and 5.0 - 5.1, while bypassing ASLR on versions 5.0 - 5.1 (as Android versions 2.2 - 4.0 do not implement ASLR). They even shared the distribution of Android platform versions taken from statista, which depicted -
● 23.5% of Android devices are versions 5.0 5.1 about 235,000,000 devices
● 4.0% of Android versions are versions 2.x with no ASLR about 40,000,000 devices
"Looking at these numbers, it's hard to comprehend how many devices are potentially vulnerable," NorthBit wrote.
NorthBit has also uploaded a video of a successful attack. The video shows a victim using Nexus 5 running on Android 5.0.1 operating system. The victim opens a link that leads to cat photos, while NorthBit shows the real time attacking scenario. The compromised device is connected back to server, dumping all properties of the device.