Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Mobile & Wireless

Reliable Exploit Developed for Android Stagefright Flaw

Experts at software research firm NorthBit have developed what they believe to be a reliable exploit for a Stagefright vulnerability affecting Google’s Android operating system.

Experts at software research firm NorthBit have developed what they believe to be a reliable exploit for a Stagefright vulnerability affecting Google’s Android operating system.

In July 2015, mobile security firm Zimperium reported finding a series of critical remote code execution vulnerabilities in the Android media playback engine Stagefright. The issues reportedly affected 950 million devices, but in many cases they were difficult to exploit, especially in Android 4.1 and later, which include Address Space Layout Randomization (ASLR) mitigations.

Zimperium published a proof-of-concept exploit for CVE-2015-1538 to allow administrators, security teams and penetration testers to determine if a system is vulnerable, but the company noted at the time that the exploit was not 100 percent reliable and it had only been succesfully tested on a device running Android 4.0.4.

In September 2015, Google researchers developed an exploit for CVE-2015-3864, the identifier assigned to an integer overflow triggered in libstagefright during MPEG4 tx3g data processing (CVE-2015-3824) whose initial patch was flawed. The exploit from Google could bypass ASLR with brute force and had a success rate of roughly 4 percent per minute.

Experts believed this success rate was reasonable if the exploit would be used, for example, in a watering hole attack where victims would likely spend more time on the malicious page. However, Google researchers admitted that it could be more elegant, reliable and effective to use a more sophisticated technique to bypass ASLR.

Building on Google’s work, NorthBit researchers have attempted to develop a more practical exploit that is fast, reliable and stealthy. The new exploit, dubbed “Metaphor,” is said to work not only on devices running Android 2.2 through 4.0, but also Android 5.0 through 5.1 on which it bypasses ASLR protections. Experts demonstrated that Metaphor can be practically exploited in the wild against potentially hundreds of millions of Android devices.

For the exploit to work, the attacker needs to lure the targeted user to a malicious website. This can be accomplished via a specially set up website, a hijacked site, cross-site scripting (XSS) vulnerabilities, ads displayed in <script> or <iframe> tags, and drive-by attacks.

NorthBit pointed out that since the exploited vulnerability affects media parsing, the victim does not need to play a malicious media file. Instead, all they need to do is parse it — the process in which video length, artist name, title and other metadata is retrieved.

Advertisement. Scroll to continue reading.

However, for the attack to work, the attacker must trick the victim into spending some time on a malicious web page, a task that can be easily achieved via social engineering, as shown by researchers in a video of the Metaphor exploit in action.

The Metaphor exploit works best on a Nexus 5 smartphone with stock ROM, but it has also been tested on HTC One, LG G3 and Samsung Galaxy S5 devices. Researchers noted that the exploit is not universal as exploitation differs slightly from one vendor to another.

While Google has patched and continues to patch Stagefright flaws, many Android devices will never get the fixes, leaving millions of users vulnerable to attacks.

“Patching application vulnerabilities is especially challenging for the Android community with the number of different manufactures and carriers charged with the responsibility of issuing patches to devices,” Chris Eng, VP of Research at Veracode, told SecurityWeek.

A paper describing the technical details of Metaphor has been made available by researchers.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join SecurityWeek and Hitachi Vantara for this this webinar to gain valuable insights and actionable steps to enhance your organization's data security and resilience.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Defense contractor Nightwing has appointed Tricia Fitzmaurice as Chief Growth Officer.

Xage Security has appointed Russell McGuire as CRO and Ashraf Daqqa as VP of the META region.

Solana co-founder Stephen Akridge has been appointed the CEO of data protection firm Cyber Grant.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.