esearchers at Israeli software firm NorthBit have claimed to have exploited a newly found Stagefright bug to hack a into Android smartphones remotely.
This comes within an year after the first Stagefright bug was discovered by cybersecurity firm Zimperium Mobile Security in July 2015. It highlighted that Android smartphones could be hacked remotely by specially crafted media file delivered via MMS.
Later in October 2015, another exploit was discovered which allowed remote execution of malicious code in smartphones via .mp3 and .mp4 files. The new exploit implementation, termed Metaphor, has been successfully tested on Nexus 5, LG G3, HTC One and Samsung Galaxy S5, according to the company’s detailed research paper.
Stagefright is an Android operating system multimedia library based on C++ language. The victims can be lured to websites with a malicious video file that is capable of crashing it. Google had released a patch for the earlier vulnerabilities but it is yet to acknowledge this newly found ‘Metaphor exploit’.
The NorthBit research paper depicts a way to bypass Address Space Layout Randomisation (ASLR). The researchers have claimed to create a ‘working exploit’ while bypassing ASLR on versions 5.0 – 5.1, which affects Android versions 2.2 – 4.0 as well. The report noted that Android versions 2.2 – 4.0 do not come with the ASLR memory protection process.
“Breaking ASLR requires some information about the device, as different devices use slightly different configurations – which may change some offsets or predictable addresses locations,” the paper said.
Explaining the payload, the paper said, “It is possible to gain arbitrary pointer read to leak back to the web browser and gather information in order to break the ASLR”.
Around 235 million Android smartphone run Android 5.0- 5.1 while another 40 million smartphones still run Android 2.x without ASLR.