Stagefright hack, which was recently patched by Android and partner OEMs, is still a valid threat for unpatched devices. Israeli security researchers at Northbit, a security firm, claim to have further exploited that hack and have devised a method to hack any unpatched Android device. The group has successfully tested the exploit on a LG G3, HTC One and a Samsung Galaxy S5. Northbit has named the exploit Metaphor and published a PDF that gives full details of the exploit, its workings and how one can make it. Northbit was also able to bypass ASLR (address space layout randomisation) that was re-introduced with Android Lollipop. The researchers wrote in the paer, “Although the bug exists in many versions (nearly a 1,000,000,000 devices) it was claimed impractical to exploit in the wild, mainly due to the implementation of exploit mitigations in newer Android versions, specifically ASLR” . “The team here at North-Bit has built a working exploit affecting Android versions 2.2 to 4.0 and 5.0 to 5.1, while bypassing ASLR on versions 5.0 to 5.1 (as Android versions 2.2 to 4.0 do not implement ASLR,” the paper states. Northbit has shared a video showcasing how fast the exploit can hack a victim’s Android device.
Stagefright itself is a software library, which is coded in C++ and lives inside the Android ecosystem. It is used by Android to parse videos and other media. The Stagefright vulnerability was first cited in 2015 by Zimperium mobile security, and made about 95% of the Android devices vulnerable. Since then only a few devices have received software patches but a majority of Android devices remain vulnerable.