An older flaw that used to exist within the Android media server and multimedia library named Stagefright has resurfaced, in spite of the previous claims that it had been fixed. According to reports and a NorthBit research paper published recently, the vulnerability has never really been fixed, leading to millions of Android devices remaining at risk right now with no news of how to prevent or fix the issue.
This vulnerability would allow hackers to access data and various functions of the Android operating systems ranging from version 2.2 all the way up to 4.0, 5.0 and 5.1 through an exploit that has been dubbed ‘Metaphor’ by the authors of the research paper. The people behind it, a group of Israeli researchers that thoroughly explained how one can build and use the exploit, are attempting to raise awareness of Android users regarding the danger that may put themselves in by accessing suspicious websites.
According to them, simply visiting a hacker’s web page – without clicking on anything or downloading any malicious files – is enough to make your system vulnerable to the exploit and compromise your device. The way it works – the researchers explain – is through the very way Stagefright works. By ‘trapping’ a message or a web page, it can begin running malicious code on the device in question.
The process is thoroughly described in the published paper as having three steps that your device is subjected to before the vulnerability leads to compromising the information of the attacked device without even appearing like there’s an external factor at work within the device’s system.
When the owner of the device ends up on a hacker website, the page sends a video file to the device that ultimately crashes the Stagefright media server software, forcing it to reset its internal state when it reboots. During the restart process, a Java script takes the opportunity to send information of the device to the attacker.
The actual ‘Metaphor’ exploit only takes place afterwards; after the device’s personal information is leaked, the hacker may use it to create another video file that results in various types of malware being baked into the device when Stagefright attempts to process it. Because of how everything is run through by using the internal state related information of the particular device of the user, this code can run with full administrator privileges to leak data and observe the device without being detected by the system.
Image Source: 1