itestro - Fotolia
Security researchers at NorthBit Ltd., based in Herzliya, Israel, created the exploit by building on the Stagefright vulnerability. Discovered by San Francisco-based mobile security firm Zimperium last year, the Stagefright vulnerability allows for the execution of malicious code through flaws in the Stagefright media library. When the vulnerability was first reported, Google noted that Android versions 4.1 and higher use address space layout randomization (ASLR), which greatly reduces the likelihood of a successful exploit; and Android versions 5.0 and higher make ASLR even stronger by requiring that all dynamically linked executables be position-independent executables.
The improvement to the Stagefright exploit introduced by NorthBit was an ASLR bypass. NorthBit found the media server leaked address information that could be used to bypass the ASLR security and craft targeted attacks.
The researchers noted that the Metaphor attack code must be tailored to work on a specific model of Android hardware. This would mean making a universal exploit is less likely, but not technically impossible.
Tod Beardsley, engineering manager at Rapid7 LLC, based in Boston, said the need for specific target info reminded him of the Conficker worm on Windows.
"[Conficker], too, was a hassle to exploit, since it needed specific targets for specific builds of Windows, but that can be -- and was -- automated by the attackers," Beardsley said. "I'm very concerned with Stagefright for the same reasons. There is no reason to believe it can't be used to construct a similar exploit-driven worm by compromising a phone, getting access to SMS contacts, then blasting messages out. A Stagefright worm would likely require more in the way of central control to serve payloads, but the spam and botnet industries have shown that such infrastructure already exists and is reliable enough for criminal use today."
The Metaphor Stagefright exploit has been found to work against Android versions 2.2 through 4.0, and 5.0 and 5.1. Combined, those versions are estimated to run 275 million phones; however, a Google spokesperson noted that devices have been patched against such an attack.
"Android devices with a security patch level of Oct. 1, 2015, or greater are protected because of a fix we released for this issue (CVE-2015-3864) last year," Google said. "As always, we appreciate the security community's research efforts, as they help further secure the Android ecosystem for everyone."
While Android has a bad reputation for devices not being patched, Samsung has been pushing out security updates. Some reports said Samsung has updated most of its devices to the December 2015 security patch, which would mean a large portion of the estimated 275 million affected phones would be patched against the Stagefright exploit, since Samsung is by far the Android market leader.
Google could not provide statistics on devices outside of its own Nexus line receiving the security updates. Samsung did not respond to requests for patch data at the time of this post.
Learn how enterprises can prevent ASLR bypass flaws.
Learn more about Google's controversial Android patch policy.