Metaphor: New Stagefright Exploit Puts Millions of Android Devices at Risk… Again
In late July of 2015, a number of vulnerabilities were found on Android's libStageFright multimedia component. Called Stagefright, the vulnerability put millions of Android devices at risk, allowing remote code execution after receiving an MMS message, downloading a video file, or opening a page embedded with multimedia content. Trend Micro discovered one such vulnerability within the Stagefright library during that time that could virtually "kill" an Android device when exploited.
[Read: Stagefright vulnerability affects 950 million users]
Google has since distributed Stagefright patches for the vulnerabilities (and said that the company would implement a regular patching schedule), but it appears that there are still some flaws that can still be exploited. Researchers from NorthBit released a document that provides details on a working Stagefright exploit of the CVE-2015-3864 vulnerability. Dubbed "Metaphor", the exploit is said to affect devices running on Android versions 2.2 to 4.0, and is able to bypass ASLR1 on versions 5.0 to 5.1.
While Google is expected to release a patch soon to fix the flaws exploited by Metaphor, it might not be fast enough. Patching the round of Stagefright bugs found last year is still said to be spotty, thanks to the number of manufacturers and carriers involved in patch distribution, and it's no different today. Owners of affected devices are advised to update their software as soon as a patch becomes available.
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.
- Ransomware Spotlight: TargetCompany
- Email Threat Landscape Report: Cybercriminal Tactics, Techniques That Organizations Need to Know
- Preventing an Imminent Ransomware Attack With Early Detection and Investigation
- Inside the Halls of a Cybercrime Business
- Securing Cloud-Native Environments with Zero Trust: Real-World Attack Cases