Skip to content

March 19, 2016

Stagefright exploit reliably attacks Android phones

by John_A

You may know that the Stagefright security flaw is theoretically dangerous, but it hasn’t been that risky in practice — it’s just too difficult to implement on an Android device in a reliable way. Or rather, it was. Security researchers at NorthBit have developed a proof-of-concept Stagefright exploit, Metaphor, that reliably compromises Android phones. The key is a back-and-forth procedure that gauges a device’s defenses before diving in. Visit a website with a maliciously-designed MPEG-4 video and the attack will crash Android’s media server, send hardware data back to the attacker, send another video file, collect additional security data and deliver one last video file that actually infects the device.

It sounds laborious, but it works quickly: a typical attack breaks into a phone within 20 seconds. And while it’s most effective on a Nexus 5 with stock firmware, it’s known to work on the customized Android variants found on phones like the HTC One, LG G3 and Samsung Galaxy S5.

This doesn’t amount to an in-the-wild attack, and you’ll be fine if you’re running Android 6.0 Marshmallow or any other OS version patched against Stagefright. The catch is that relatively few people are in that boat — most Android users are running Lollipop or earlier, and only some of those devices have Stagefright patches. You’re probably fine if you own a relatively recent device, but your friend with a years-old Android phone is at risk.

Via: ZDNet

Source: Exploit Database (PDF)

Read more from News

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Note: HTML is allowed. Your email address will never be published.

Subscribe to comments

%d bloggers like this: