Researchers have developed Metaphor, a "fast, reliable, and stealthy" exploit for the Stagefright vulnerability that can affect millions of Android devices. Whether or not the attack becomes widely successful will depend on how seriously carriers and manufacturers react to this threat.
Stagefright refers to the group of security issues in Android library libstagefright that was found last year by researchers at mobile security company Zimperium. Attackers could potentially remotely execute code on the vulnerable device through a malicious email message, website, or even an MMS message.
Google promptly patched the flaws in the library, which parses video and other media files, as well as the Mediaserver component. The company has also fixed related bugs in both libstagefright and Mediaserver since then as part of the monthly security update process.
Metaphor is a generic exploit for Stagefright, not a new flaw in Android. Stagefright was difficult for attackers to successfully target because newer Android versions use Address Space Layout Randomization (ASLR), a technique to protect against memory-based attacks. Researchers from Israel-based North-Bit decided to bypass ASLR entirely to trigger the Stagefright flaw (CVE-2015-3864), and showed that "exploitation of this vulnerability [Stagefright] is feasible," according to their whitepaper.
"It was claimed [Stagefright was] impractical to exploit in the wild, mainly due to the implementation of exploit mitigations in newer Android versions, specifically ASLR," North-Bit's Hanan Be'er wrote.
Attack succeeds on stock ROM
Metaphor follows a three-step process to hijack a vulnerable Android device. It starts with a victim viewing a malicious website. The specially crafted video file on the page crashes the Android device's Mediaserver, forcing the component to restart. The attack server triggers Stagefright to collect information about the device and its internal state, then generates a custom media file with an embedded payload. When the Mediaserver component processes the file (it's not even necessary to play it), it also executes the malicious code, which compromises the device.
"For a user running a vulnerable version of Android, it's as simple as going to a website, connecting to a rogue AP or being under traffic redirection attack, and you get compromised," said Zuk Avraham, founder and CTO of Zimperium. "It's a (relatively) fast and reliable attack."
North-Bit has successfully tested the exploit on a Nexus 5, LG G3, HTC One, and Samsung Galaxy S5, and it's said Metaphor would succeed on Android devices running versions 2.2 to 4.0, 5.0, and 5.1. However, it's hard to assess the accuracy of the researchers' claim that nearly 40 percent of Android devices, of 275 million handsets, are potentially vulnerable.
About 36 percent of current Android devices run version 5.0 or 5.1 (Lollipop), which is a significant portion of the Android user base, but Metaphor only works against nonupdated devices. The paper noted that the attack succeeded on a "Nexus 5 with stock ROM," which means none of the monthly security updates had been applied. Google patched the actual flaw back in September, so Android devices that received the monthly security updates aren't vulnerable.
"Android devices with a security patch level of October 1, 2015 or greater are protected because of a fix we released for this issue (CVE-2015-3864) last year. As always, we appreciate the security community's research efforts as they help further secure the Android ecosystem for everyone," Google said in an emailed statement.
The tricky question is understanding who has the updates. While the fix for Stagefright has been out for months, Android users have to rely on carriers and device manufacturers to push the updates onto the devices. Nexus owners are the exception, as they receive updates directly from Google, alongside power users who install custom ROMs on their devices. Some of the newer Samsung handsets have been updated as well. While both LG and HTC have committed to regular updates, the rollout hasn't been consistent across models.
Several tools can detect if the Android device is vulnerable to Stagefright, such as Zimperium's Stagefright Detector app.
Devices running Android 2.2 to 4.0 typically aren't part of the update cycle, and they account for about 4 percent of the current user base. Metaphor succeeds on those devices since they don't have ASLR and Stagefright hasn't been updated.
The Android update problem
One upside to North-Bit's research: It may shake carriers and handset manufacturers out of their complacency. If they thought Stagefright, while serious, wasn't as critical because it was still difficult to exploit, Metaphor shows that generic exploits aren't far away.
With "further research it may be possible to lay aside all or some of the lookup tables" used to generate custom malicious video files -- and that would lay the groundwork for a generic exploit, North-Bit said in the paper.
Metaphor doesn't rely on malicious apps, so carriers/manufacturers can't even push the responsibility back to Google to detect the bad apps before users install them.
The fact that Android devices lag behind on updates is nothing new. Apple can claim 70 percent adoption of iOS 9 within 2.5 months of releasing the operating system because it controls both the software and hardware. The only way Google can try to match Apple's numbers is to wrest control from carriers and hardware partners, and that isn't likely to happen.
Google is doing its part by releasing the updates in a timely manner. It's up to the carriers like AT&T and Verizon, as well as manufacturers like HTC, Samsung, and LG, to more promptly update a broader class of devices. Otherwise, an attack using Metaphor or similarly designed exploits can easily compromise a large swath of Android devices.