A group of Israeli researchers reckon they’ve cracked the challenge of crafting a reliable exploit for the Stagefright vulnerability that emerged in Android last year.
In a paper [PDF] that’s a cookbook on how to build the exploit for yourself, they suggest millions of unpatched Android devices are vulnerable to their design, which bypasses Android’s security defenses. Visiting a hacker’s webpage is enough to trigger a system compromise, we’re told.
Since no hot piece of infosec action exists without a name these days, the paper, written by Hanan Be’er of North-Bit, dubs the implementation of the Stagefright exploit “Metaphor.”
Stagefright is the name of a software library used by Android to parse videos and other media; it can be exploited by a booby-trapped message or webpage to execute malicious code on vulnerable devices.
The paper describes a three-step process to reliably hijacking an Android device:
While North-Bit reckons its exploit design is reliable, you’ll have to, as described above, do some server-side work to deploy Metaphor.
The exploit also needs a perform a heap spray to work, and that means the attacker may need to attempt exploitation multiple times on the target.
However, North-Bit says that with “further research it may be possible to lay aside all or some of the lookup tables” used to generate custom malicious video files – and that would lay the groundwork for a generic exploit.
The exploit specifically attacks the CVE-2015-3864 bug in a “fast, reliable and stealthy” way that bypasses ASLR – aka address space layout randomization, a mechanism that thwarts a lot of exploit writers.
It’s also important to note that the victim doesn’t have to press play on a rigged MPEG4 video file, because the bug is triggered when the web browser simply fetches and parses the file upon first seeing it.
“It was claimed [the bug] was impractical to exploit in the wild, mainly due to the implementation of exploit mitigations in newer Android versions, specifically ASLR,” the paper states.
“The team here at North-Bit has built a working exploit affecting Android versions 2.2 to 4.0 and 5.0 to 5.1, while bypassing ASLR on versions 5.0 to 5.1 (as Android versions 2.2 to 4.0 do not implement ASLR).”
Google released security patches to kill Stagefright’s vulnerabilities, although not every Android phone and tablet can receive and install them: some manufacturers and network carriers were in no rush to update older models, leaving potentially millions of gadgets at the mercy of exploits like the one built by North-Bit.
Updated to add
A Google spokesman has been in touch to say: “Android devices with a security patch level of October 1, 2015 or greater are protected because of a fix we released for this issue (CVE-2015-3864) last year. As always, we appreciate the security community’s research efforts as they help further secure the Android ecosystem for everyone.”
Easy Related Posts
10 Signs Your Computer Might Have a Malware Infection
Our computer is like a member of our family, when it doesn’t “feel good” or ...read more
My Computer Has Been Hacked! What To Do Now
10 Things You Need to Do After Being Hacked You opened an e-mail attachment ...read more
Email Address Top 27 People Search Sites and Email Address Directories
Searching for people online? Looking for an email address? Look closer and find friends old ...read more
How to Set Up a New iPhone
Whether your new iPhone is your first or you've been using Apple's smartphone since 2007, ...read more
Google and YouTube Track Your Every Step
Whether you like it or not, Google, Facebook, and Bing track everything that you do ...read more
Gmail Things You Didn't Know Gmail Did
Gmail is really useful. It's free without feeling cheap. It doesn't add ads to the ...read more