Meetup Vulnerabilities: Escalation of Privilege and Redirection of Funds

Another Android Stagefright Vulnerability is Exposed

In mid March, the advanced software researchers at NorthBit released a video and detailed research PDF demonstrating proof of concept of a notorious exploit that can essentially offer hackers control over device hardware and data of certain Android phones. This latest exploit of Android’s Stagefright is referred to as “Metaphor.”

What Is The “Stagefright” Vulnerability?

The Stagefright vulnerability first made headlines in July 2015 with an exploit that put Android devices at risk if they received a malicious MMS message. The recipients didn’t even need to open the message to have all of their phone’s data (contacts, camera, photos, microphone etc.) exposed to cyber-criminals.

This vulnerability was referred to as, “the worst Android vulnerability discovered to date.” Then, in October 2015, Zimperium zLabs, the enterprise mobile security company that exposed the first Stagefright vulnerability, discovered yet another security issue affecting media processing in Android: Stagefright 2.0.


How Could My Device Get Infected?

The new Metaphor exploit will make your device vulnerable if you simply click a link and enter a website containing a malicious MPEG-4 video. It is important to note that you don’t even need to start playing the video for the exploit to begin working. NorthBit explains that your device only needs to start “parsing,” reading metadata such as artist or title, for the media file attack to begin.

So, how could someone find themselves on a webpage that has this dangerous MPEG-4 file on it? The example NorthBit offers that can put a device at risk is opening an email. In their proof of concept video, a malicious link to a webpage full of cute kittens is actually an attack. Kittens may be an internet favorite, but not after they tear your Android phone to pieces!

Cyber-criminals have more ways than irresistible clickbait emails about kittens that could potentially lead you to a webpage hosting a dangerous MPEG-4 file. These ways include hiding it on a hacked website using hidden content such as iframes and invisible tags, in <script> or <iframe> tags of ads and even via free wifi automatic pop ups or QR codes that we all find in our cities.

How Does This Stagefright Exploit Work?

However you arrive to a website with a dangerous MPEG-4 video, the video will start by crashing and rebooting your Android device’s media service and sending another malicious video to your device. This second video sends the hacker all hardware data, and information about your phone’s protection via the JavaScript hosted on the web page. If the hackers want more, they can extract more data by sending your device more malicious videos. This whole process can take less than 20 seconds for your device and data to be compromised. This exploit has the potential to hand over access to your device’s camera, microphone, GPS, as well as all of your personal data, directly to a hacker’s server.

Anatomy of Metaphor Stagefright Attack [Infographic]
Click to expand the infographic

Is My Android Device Vulnerable?

The first thing to check is which version of the Android operating system you’re currently using. If you have a recent device and are running Android 6.0 Marshmallow you will be fine. The researchers at NorthBit successfully used this Stagefright exploit on Nexus 5, LG G3, HTC One and Samsung Galaxy S5 devices, all popular devices used by millions.

Metaphor can infect devices running Android versions 2.2 and 4.0. This exploit can also run on Android versions 5.0 and 5.1, bypassing address space layout randomization, ASLR, that protects system memory from buffer-overflow attacks. These older Android devices and any device running Android 5.0 or 5.1, including earlier versions that didn’t get a Stagefright patch from Google, are at risk. If you are using a vulnerable device, be extra cautious with the links that you click.
It’s important to remember that this exploit was developed by white-hat researchers in a laboratory, not found in the wild…. yet. The research team at NorthBit, however, admits, that hackers, criminals, or even governments, with bad intentions could be developing and even implementing this exploit to spy on and steal data from vulnerable devices.

Since Northbit published this latest Stagefright vulnerability, Google has included in its April monthly security update, patches for a number of security vulnerabilities including this recent libstagefright exploit. Nexus users will be the first to receive this patch, but devices from other vendors should be receiving fixes before too long.

Key Takeaways:

While open source comes with all the advantages that we know and love, it’s important to remember that it is still something that needs to be analyzed and properly validated prior to implementation in your app.

Checkmarx offers mobile developers a unique code security analysis for Android, iOS, Windows, and PhoneGap apps called CxSAST. Instead of waiting for code vulnerabilities to appear at a later stage in development, CxSAST eliminates them during the coding process. As mobile developers face new and uncertain security challenges, the risk of introducing vulnerabilities during development is increased. The original Stagefright exploit was in fact a result of one or multiple code vulnerabilities that could have both been detected and resolved at an earlier stage of the development. To see if CxSAST is the solution that your code needs, click here.

Jump to Category