New Stagefright Vulnerability Found, Millions of Android Devices Affected: Report
Security researchers have once again discovered a flaw in Android’s Stagefright mediaserver component. In a demonstration, the researchers were able to remotely hack a phone with Stagefright-based exploit. Their finding underscores a vulnerability in millions of Android devices that could be triggered when they are made to visit a specially-crafted webpage.
Israel-based research firm Northbit published a research paper this week in which it claims to have found a “proper” exploit dubbed Metaphor, using a new vulnerability in the Stagefright. The firm’s researchers said that they were remotely able to hack a Nexus 5, and have successfully replicated the exploit on a LG G3, Samsung Galaxy S5, and HTC One. According to them, devices running Android 5.0 Lollipop or v5.1, that account for roughly 36 percent of 1.4 billion active devices are vulnerable.
The exploit attacks the CVE-2015-3864 bug in a “fast, reliable and stealthy” way, says researchers, that bypasses ASLR (address space layout randomization). As you can imagine, for security attackers to be successful in hijacking the device, they need to perform a cascade of operations.
A bug in Stagefright, an Android multimedia library, was first found in July. Google had patched the bug, though security researchers had found flaws in the patch. Stagefright 2.0 was detected in October. It was estimated to affect almost all Android devices on the planet.