14 DAY TRIAL // Hanan Be'er, security researcher for Israeli firm NorthBit, has developed the fully functional exploit that leverages the Stagefright vulnerability to compromise Android devices.
Security researchers from Zimperium discovered the Stagefright vulnerability last August, prompting Google to start delivering monthly security updates for Nexus devices the following month.
Google attempted to fix Stagefright last September, but an incomplete fix and the discovery of the subsequent Stagefright 2.0 exploit made the problem even worse and gave it more notoriety.
First fully-functional Stagefright exploit
Now, more than half of year after Stagefright surfaced, NorthBit is releasing details about an exploit routine that can leverage the libstagefright library in Android Mediaserver component to compromise devices in their entirety.
The exploit was crafted on top of other partial exploit code released by both Zimperium, the company that discovered the Stagefright vulnerability, and by Google.
NorthBit's attack scenario is quite simple. An attacker needs to trick a user into accessing a website where a malicious image or video is hosted.
Because the Stagefright flaw corrupts Android devices when reading metadata from multimedia files, a user only needs to access the attacker's website to expose himself to the attack.
Metaphor exploit takes time to execute
The good thing is that the attack takes some time to execute because it needs to go through three different stages. The bad part is that mobile connections are inherently slow, and most users will wait. Additionally, the attack can be carried out when the user is already watching another, more lengthy video.
During the first stage, a malicious image/video that contains exploit code forces the user's Mediaserver component to restart, which allows the attacker to gather information about each different user.
Using this data collected from the device, the attacker's server generates a custom video file for each victim, which is more powerful than the first payload, and runs with root privileges, allowing the attacker to retrieve any data from the device, or install spyware or other malware (third stage).
This new exploit, called Metaphor, works on Android 2.2 through 4.0, but also Android 5.0 through 5.1, even if these newer versions have ASLR protection. Ironically, to bypass ASLR protection, NorthBit used the Stagefright exploit released by Google.
During their tests, researchers exploited Metaphor against a Nexus 5, HTC One, LG G3 and Samsung Galaxy S5. Below is a video of the attack in action.
