Millions of Android users are at risk of a new Metaphor exploit that can take over Samsung, LG and HTC phones in under 20 seconds. The hack gives attackers access to the targeted phones including the ability to inject malware and take control over key smartphone functions.
Discovered by Israeli-based security firm NorthBit, the vulnerability is yet another flaw tied to the maligned Stagefright vulnerability in Android. Affected phones are Nexus 5, LG G3, HTC One and Samsung Galaxy S5 handsets. NorthBit also claims phones running Android 2.2, 4.0, 5.0 and 5.1 are also at risk to Metaphor.
Metaphor works by sending a message to the victim containing a link to a website hosting a video. Victims attempting to load the video experience a crashing of the video player, according to NorthBit researchers. As the video player crashes and restarts, data regarding the smartphone’s hardware and software are transmitted to an attacker who can check for the presence of the vulnerability. Next, a new video is sent to the phone along with malware that is exploited within the phone’s mobile browser that gives attackers control over the phone.
NorthBit created the vulnerability as a proof of concept and said, in a research report documenting the exploit (PDF), that its research was built off Google’s own research on Stagefright. Others in the security community say the flaw highlights fundamental security issues around patching that spans the entire software spectrum. Chris Eng, VP of research at Veracode, said those issues are impacting the Android community particularly hard.
“Patching application vulnerabilities is especially challenging for the Android community with the number of different manufactures and carriers charged with the responsibility of issuing patches to devices,” said Eng in an email to Threatpost. “As with Stagefright, we anticipate that Google will be quick to issue a patch to resolve this problem. However, we hope that we don’t see a replay of Stagefright 2.0 where many of the patches hadn’t been rolled out to end-users.”
Metaphor is the latest exploit to take advantage of flaw (CVE-2015-3864) in the Android Mediaserver library component. Stagefright was first uncovered by Joshua Drake last July. Google has patched its Mediaserver more than two dozen times since the Stagefright vulnerability was discovered. Last week, Google issued two critical patches addressing Stagefright vulnerabilities.
NorthBit says it discovered a way to “bypass” the Android address space layout randomisation (ASLR) in the Mediaserver component. Researchers wrote: “Breaking ASLR requires some information about the device, as different devices use slightly different configurations which may change some offsets or predictable addresses locations. Using the same vulnerability, it is possible to gain arbitrary pointer read to leak back to the web browser and gather information in order to break the ASLR”.
NorthBit said it was then able to execute JavaScript Metadata encoded inside the media file sent to the targeted phone using “<video>” tag properties width, height and duration. Next, the Mediaserver parses and sends metadata from within the media file back to the web browser where attackers can then take control over the phone, according to NorthBit.
NorthBit estimates that 23 percent of Android devices run OS versions 5.0 and 5.1, leaving 235 million devices vulnerable to this hack. Google and affected OEM phone makers have not made any public statements regarding the vulnerability.
“Google shares some of the same patch management challenges that have haunted Microsoft in the past,” said Will Stofega, mobile analyst with IDC. He said OEM software fragmentation coupled with the fact carriers are notorious foot draggers in issuing and deploying software updates makes it extremely difficult to patch these types of holes fast. “This is one more serious Android vulnerability that will hopefully push Google and wireless carriers to more effectively work together on patch management.”