Introducing Metaphor: Another Android Stagefright exploit

Researchers in Israel have come across a new way of exploiting the Stagefright vulnerability that was uncovered last year, and which affects the library that Android uses to analyze multimedia files.

To recap, cybercriminals can execute malicious code through a harmful or compromised website – or a specially designed MMS – to steal information. There is, however, a free tool capable of detecting if the device is vulnerable to Stagefright.

But that’s not all. A recent paper by Hanan Be’er, a researcher with NorthBit, has found that an exploit known as ‘Metaphor’ can go further to take advantage of the vulnerability in Stagefright. He suggests that millions of Android devices are vulnerable to this exploit, which dodges their defense mechanisms. This threat operates on Android 2.2 to 4.0 and 5.0 to 5.1. On top of this, in the latest versions, it can evade the ASLR. This is ‘address space layout randomization’, used to hamper the proper operation of exploits preventing buffer overflow attacks.

As stated in The Register, the process is made up of various stages. Firstly, the victim lands on a malicious website. This then sends a video to the device, which crashes the multimedia server of the operating system in order to reset its internal state. JavaScript on the page waits for mediaserver to restart, and then sends information about the device over the internet to the attacker’s private server.

“When processed by Stagefright, the following video created by the attacker begins executing a payload which carries all the privileges it needs to spy on the user.”

This server then creates a custom video file which is sent to the device, which exploits Stagefright to reveal more information about the device’s internal state. When processed by Stagefright, the following video created by the attacker begins executing a payload which carries all the privileges it needs to spy on the user.

The exploit attacks the CVE-2015-3864 bug – even without the user having to ‘play’ or view the video. It starts working when the web browser searches and analyzes the file. Stagefright is the native media player for Android devices.

“Our exploit works best on Nexus 5 devices. It was also tested on HTC One, LG G3, and Samsung S5 devices, although the exploit was slightly different on these brands. We will need to make a few adjustments”, concludes the analysis.

In any event, what we have to remember is that these exploits generated in test environments often present themselves as extremely critical problems, but we subsequently see that their actual scope is limited in highly specific scenarios. This attack also requires the execution of JavaScript over a web browser. As researchers have found, this type of code has a number of limitations.

This shows that there is no need to panic. Users should just keep up to date with the latest news and download patches when released by the provider.

Author , ESET

Follow us

Copyright © 2016 ESET, All Rights Reserved.