Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Mobile & Wireless

Reliable Exploit Developed for Android Stagefright Flaw

Experts at software research firm NorthBit have developed what they believe to be a reliable exploit for a Stagefright vulnerability affecting Google’s Android operating system.

Experts at software research firm NorthBit have developed what they believe to be a reliable exploit for a Stagefright vulnerability affecting Google’s Android operating system.

In July 2015, mobile security firm Zimperium reported finding a series of critical remote code execution vulnerabilities in the Android media playback engine Stagefright. The issues reportedly affected 950 million devices, but in many cases they were difficult to exploit, especially in Android 4.1 and later, which include Address Space Layout Randomization (ASLR) mitigations.

Zimperium published a proof-of-concept exploit for CVE-2015-1538 to allow administrators, security teams and penetration testers to determine if a system is vulnerable, but the company noted at the time that the exploit was not 100 percent reliable and it had only been succesfully tested on a device running Android 4.0.4.

In September 2015, Google researchers developed an exploit for CVE-2015-3864, the identifier assigned to an integer overflow triggered in libstagefright during MPEG4 tx3g data processing (CVE-2015-3824) whose initial patch was flawed. The exploit from Google could bypass ASLR with brute force and had a success rate of roughly 4 percent per minute.

Experts believed this success rate was reasonable if the exploit would be used, for example, in a watering hole attack where victims would likely spend more time on the malicious page. However, Google researchers admitted that it could be more elegant, reliable and effective to use a more sophisticated technique to bypass ASLR.

Building on Google’s work, NorthBit researchers have attempted to develop a more practical exploit that is fast, reliable and stealthy. The new exploit, dubbed “Metaphor,” is said to work not only on devices running Android 2.2 through 4.0, but also Android 5.0 through 5.1 on which it bypasses ASLR protections. Experts demonstrated that Metaphor can be practically exploited in the wild against potentially hundreds of millions of Android devices.

For the exploit to work, the attacker needs to lure the targeted user to a malicious website. This can be accomplished via a specially set up website, a hijacked site, cross-site scripting (XSS) vulnerabilities, ads displayed in <script> or <iframe> tags, and drive-by attacks.

NorthBit pointed out that since the exploited vulnerability affects media parsing, the victim does not need to play a malicious media file. Instead, all they need to do is parse it — the process in which video length, artist name, title and other metadata is retrieved.

Advertisement. Scroll to continue reading.

However, for the attack to work, the attacker must trick the victim into spending some time on a malicious web page, a task that can be easily achieved via social engineering, as shown by researchers in a video of the Metaphor exploit in action.

The Metaphor exploit works best on a Nexus 5 smartphone with stock ROM, but it has also been tested on HTC One, LG G3 and Samsung Galaxy S5 devices. Researchers noted that the exploit is not universal as exploitation differs slightly from one vendor to another.

While Google has patched and continues to patch Stagefright flaws, many Android devices will never get the fixes, leaving millions of users vulnerable to attacks.

“Patching application vulnerabilities is especially challenging for the Android community with the number of different manufactures and carriers charged with the responsibility of issuing patches to devices,” Chris Eng, VP of Research at Veracode, told SecurityWeek.

A paper describing the technical details of Metaphor has been made available by researchers.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...

Mobile & Wireless

Samsung smartphone users warned about CVE-2023-21492, an ASLR bypass vulnerability exploited in the wild, likely by a spyware vendor.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Fraud & Identity Theft

A team of researchers has demonstrated a new attack method that affects iPhone owners who use Apple Pay and Visa payment cards. The vulnerabilities...

Mobile & Wireless

Critical security flaws expose Samsung’s Exynos modems to “Internet-to-baseband remote code execution” attacks with no user interaction. Project Zero says an attacker only needs...

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Mobile & Wireless

Asus patched nine WiFi router security defects, including a highly critical 2018 vulnerability that exposes users to code execution attacks.