A new proof of concept Stagefright exploit called Metaphor has been made public by cybersecurity firm NorthBit,...
which is based in Israel. The big news is that Metaphor uses an address space layout randomization (ASLR) bypass to affect potentially hundreds of millions of Android devices. What is an ASLR bypass, and how much more serious is this new Stagefright exploit?
Android patching has been problematic since Android was first introduced because of its fragmented hardware and software ecosystem. Apple doesn't have the same challenge that Google faces in ensuring Android devices have the most current patches, because Apple controls the hardware, software and patching process of its devices. Google has to juggle multiple different open source projects in Android, including Linux and other supporting libraries and software. This makes it difficult to patch vulnerable Android devices for the Stagefright exploit. Google is making changes to how Android is patched, but there is still a significant installed base that will not get the patches or other security improvements.
The Metaphor proof of concept increases the risk of Android users experiencing a potential Stagefright exploit on their devices, but Android's fragmented ecosystem will make it difficult for widespread attacks. Metaphor uses an ASLR bypass, cheating the operating system process which randomizes the location where system executables are loaded into memory. It predicts these locations and performs buffer-overflow attacks.
Metaphor provides a framework for developing targeted exploits, but it would still require critical information about the specific device, such as gadget offsets or predictable addresses. The exploit authors provide a table of some of these values. Also, few smartphones expose the vulnerable Mediaserver functionality to the network so a traditional network worm is unlikely, but many smartphone users render SMS messages, webpages and email automatically. This update could be used in targeted attacks, so having an endpoint security tool that analyzes incoming messages and blocks malicious messages may provide additional protection.
Ask the Expert: Have a question about enterprise threats? Send it via email today. (All questions are anonymous.)
Get tips on how to improve Android mobile security
Learn about Android security policies your enterprise should adopt
Read about the challenges of Android device security management
Dig Deeper on Mobile security threats and prevention
Related Q&A from Nick Lewis
Researchers developed aIR-Jumper, an exploit that leverages lights within security cameras to extract data. Learn how this attack works and how to ...continue reading
The com.google.provision virus reportedly targets Android users, but little is known about it. Nick Lewis discusses the mystery threat and how Common...continue reading
A bug in Microsoft's Internet Explorer update exposes information that users enter into the browser's address bar. Learn more about the bug and URL ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.