bexxandbrain - Fotolia

Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

How does the new Stagefright exploit Metaphor conduct an ASLR bypass?

A new Stagefright exploit called Metaphor has been released. Expert Nick Lewis explains its ability to do an ASLR bypass, and what it means for Android device security.

A new proof of concept Stagefright exploit called Metaphor has been made public by cybersecurity firm NorthBit, which is based in Israel. The big news is that Metaphor uses an address space layout randomization (ASLR) bypass to affect potentially hundreds of millions of Android devices. What is an ASLR bypass, and how much more serious is this new Stagefright exploit?

Android patching has been problematic since Android was first introduced because of its fragmented hardware and software ecosystem. Apple doesn't have the same challenge that Google faces in ensuring Android devices have the most current patches, because Apple controls the hardware, software and patching process of its devices. Google has to juggle multiple different open source projects in Android, including Linux and other supporting libraries and software. This makes it difficult to patch vulnerable Android devices for the Stagefright exploit. Google is making changes to how Android is patched, but there is still a significant installed base that will not get the patches or other security improvements.

The Metaphor proof of concept increases the risk of Android users experiencing a potential Stagefright exploit on their devices, but Android's fragmented ecosystem will make it difficult for widespread attacks. Metaphor uses an ASLR bypass, cheating the operating system process which randomizes the location where system executables are loaded into memory. It predicts these locations and performs buffer-overflow attacks.

Metaphor provides a framework for developing targeted exploits, but it would still require critical information about the specific device, such as gadget offsets or predictable addresses. The exploit authors provide a table of some of these values. Also, few smartphones expose the vulnerable Mediaserver functionality to the network so a traditional network worm is unlikely, but many smartphone users render SMS messages, webpages and email automatically. This update could be used in targeted attacks, so having an endpoint security tool that analyzes incoming messages and blocks malicious messages may provide additional protection.

Ask the Expert: Have a question about enterprise threats? Send it via email today. (All questions are anonymous.)

Next Steps

Get tips on how to improve Android mobile security

Learn about Android security policies your enterprise should adopt

Read about the challenges of Android device security management

This was last published in August 2016

Dig Deeper on Mobile security threats and prevention