New Stagefright Vulnerability Found, Millions of Android Devices Affected: Report

Security researchers have once again discovered a flaw in Android's Stagefright mediaserver component. In a demonstration, the researchers were able to remotely hack a phone with Stagefright-based exploit. Their finding underscores a vulnerability in millions of Android devices that could be triggered when they are made to visit a specially-crafted webpage.

Israel-based research firm Northbit published a research paper this week in which it claims to have found a "proper" exploit dubbed Metaphor, using a new vulnerability in the Stagefright. The firm's researchers said that they were remotely able to hack a Nexus 5, and have successfully replicated the exploit on a LG G3, Samsung Galaxy S5, and HTC One. According to them, devices running Android 5.0 Lollipop or v5.1, that account for roughly 36 percent of 1.4 billion active devices are vulnerable.

In the paper, the researchers have described a three-step process to hijack an Android device. A user is first made to visit a specially-crafted webpage that hosts a video file capable of crashing the mediaserver software on the target handset. The video file resets the mediaserver software and waits for it to restart. After which, a JavaScript on the webpage sends information about the device to the attacker's server, which then generates another video file, sends it to the device, and fetches more information such as the internal state of the device. After this, another video file is sent to the victim's device, and executes a payload of malware, and begins spying.

The exploit attacks the CVE-2015-3864 bug in a "fast, reliable and stealthy" way, says researchers, that bypasses ASLR (address space layout randomization). As you can imagine, for security attackers to be successful in hijacking the device, they need to perform a cascade of operations.

A bug in Stagefright, an Android multimedia library, was first found in July. Google had patched the bug, though security researchers had found flaws in the patch. Stagefright 2.0 was detected in October. It was estimated to affect almost all Android devices on the planet.