Security Experts:

Connect with us

Hi, what are you looking for?


Mobile & Wireless

Reliable Exploit Developed for Android Stagefright Flaw

Experts at software research firm NorthBit have developed what they believe to be a reliable exploit for a Stagefright vulnerability affecting Google’s Android operating system.

Experts at software research firm NorthBit have developed what they believe to be a reliable exploit for a Stagefright vulnerability affecting Google’s Android operating system.

In July 2015, mobile security firm Zimperium reported finding a series of critical remote code execution vulnerabilities in the Android media playback engine Stagefright. The issues reportedly affected 950 million devices, but in many cases they were difficult to exploit, especially in Android 4.1 and later, which include Address Space Layout Randomization (ASLR) mitigations.

Zimperium published a proof-of-concept exploit for CVE-2015-1538 to allow administrators, security teams and penetration testers to determine if a system is vulnerable, but the company noted at the time that the exploit was not 100 percent reliable and it had only been succesfully tested on a device running Android 4.0.4.

In September 2015, Google researchers developed an exploit for CVE-2015-3864, the identifier assigned to an integer overflow triggered in libstagefright during MPEG4 tx3g data processing (CVE-2015-3824) whose initial patch was flawed. The exploit from Google could bypass ASLR with brute force and had a success rate of roughly 4 percent per minute.

Experts believed this success rate was reasonable if the exploit would be used, for example, in a watering hole attack where victims would likely spend more time on the malicious page. However, Google researchers admitted that it could be more elegant, reliable and effective to use a more sophisticated technique to bypass ASLR.

Building on Google’s work, NorthBit researchers have attempted to develop a more practical exploit that is fast, reliable and stealthy. The new exploit, dubbed “Metaphor,” is said to work not only on devices running Android 2.2 through 4.0, but also Android 5.0 through 5.1 on which it bypasses ASLR protections. Experts demonstrated that Metaphor can be practically exploited in the wild against potentially hundreds of millions of Android devices.

For the exploit to work, the attacker needs to lure the targeted user to a malicious website. This can be accomplished via a specially set up website, a hijacked site, cross-site scripting (XSS) vulnerabilities, ads displayed in <script> or <iframe> tags, and drive-by attacks.

NorthBit pointed out that since the exploited vulnerability affects media parsing, the victim does not need to play a malicious media file. Instead, all they need to do is parse it — the process in which video length, artist name, title and other metadata is retrieved.

However, for the attack to work, the attacker must trick the victim into spending some time on a malicious web page, a task that can be easily achieved via social engineering, as shown by researchers in a video of the Metaphor exploit in action.

The Metaphor exploit works best on a Nexus 5 smartphone with stock ROM, but it has also been tested on HTC One, LG G3 and Samsung Galaxy S5 devices. Researchers noted that the exploit is not universal as exploitation differs slightly from one vendor to another.

While Google has patched and continues to patch Stagefright flaws, many Android devices will never get the fixes, leaving millions of users vulnerable to attacks.

“Patching application vulnerabilities is especially challenging for the Android community with the number of different manufactures and carriers charged with the responsibility of issuing patches to devices,” Chris Eng, VP of Research at Veracode, told SecurityWeek.

A paper describing the technical details of Metaphor has been made available by researchers.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.


A digital ad fraud scheme dubbed "VastFlux" spoofed over 1,700 apps and peaked at 12 billion ad requests per day before being shut down.

Mobile & Wireless

South Dakota Gov. Kristi Noem says her personal cell phone was hacked and linked it to the release of documents by the January 6...

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...

Mobile & Wireless

Chinese tech giant Huawei patched nearly 300 vulnerabilities in its HarmonyOS operating system in 2022.