Researchers in Israel have come across a new way of
exploiting the Stagefright vulnerability that was uncovered last year, and
which affects the library that Android uses to analyze multimedia files.
To recap, cybercriminals can execute malicious code
through a harmful or compromised website – or a specially designed MMS – to steal
information. There is, however, a free tool capable of detecting if the device is vulnerable to
Stagefright.
But that’s not all. A recent paper by
Hanan Be’er, a researcher with NorthBit, has found that
an exploit known as ‘Metaphor’ can go further to take
advantage of the vulnerability in Stagefright. He suggests that millions of
Android devices are vulnerable to this exploit, which dodges their defense
mechanisms. This threat operates on Android 2.2 to 4.0 and 5.0 to 5.1. On top
of this, in the latest versions, it can evade the ASLR. This is
‘address space layout randomization’, used to hamper the proper operation of
exploits preventing buffer overflow attacks.
As stated in The Register, the process is made up of various stages.
Firstly, the victim lands on a malicious website. This then sends a video to
the device, which crashes the multimedia server of the
operating system in order to reset its internal state. JavaScript on the page
waits for mediaserver to restart, and then sends information about the device
over the internet to the attacker’s private server.
“When processed by
Stagefright, the following video created by the attacker begins executing a
payload which carries all the privileges it needs to spy on the
user.”
This server then creates a custom video file which
is sent to the device, which exploits Stagefright to reveal
more information about the device’s internal state. When processed by
Stagefright, the following video created by the attacker begins executing a
payload which carries all the privileges it needs to spy on
the user.
The exploit attacks the CVE-2015-3864 bug
– even without the user having to ‘play’ or view the video. It starts working
when the web browser searches and analyzes the file. Stagefright is the native
media player for Android devices.
“Our exploit works best on Nexus 5 devices. It was
also tested on HTC One, LG G3, and Samsung S5 devices, although the exploit was
slightly different on these brands. We will need to make a few adjustments”,
concludes the analysis.
In any event, what we have to remember is that
these exploits generated in test environments often present themselves as
extremely critical problems, but we subsequently see that their actual
scope is limited in highly specific scenarios. This attack also
requires the execution of JavaScript over a web browser. As researchers have
found, this type of code has a number of limitations.
This shows that there is no need to panic. Users
should just keep up to date with the latest news and download patches when
released by the provider.