Researchers at NorthBit have discovered a new variant of last year’s notorious Stagefright vulnerability that threatens all unpatched Android devices.
In July of 2015, the security team at Zimperium first published its research on Stagefright, a critical security vulnerability in Android phones which could be used by attackers to silently and remotely infect them with malware.
Zimperium’s researchers explained in last summer’s post that with only a target’s phone number, attackers can send a user a specially crafted media file delivered via Multimedia Messaging Service (MMS). A successful exploit requires absolutely no user input before compromising the device, leaving the victim with a compromised phone through which attackers can spy on their activities.
Several months later, Zimperium’s research teams released a follow-up post in which they disclosed “Stagefright 2.0,” a bug through which attackers can compromise Android users’ devices via a specially crafted audio or MP4 video file.
That’s bad news for potentially millions of Android devices.
Unfortunately, a new Stagefright exploit signals that we have now gone from bad to worse.
Hanan Be’er, a researcher with advanced software research firm NorthBit, describes in a new report what he describes as “a (real) real-life Stagefright exploit” that he has dubbed “Metaphor”.
The exploit involves four steps:
- An attacker tricks a user via XSS, ads, or a drive-by campaign to visit a malicious webpage containing a specially-crafted video file that crashes the Android’s mediaserver and forces it to reset to its internal state. The target does not need to click on the video file for this first step to work, as the exploit begins as soon as the web browser begins parsing the file.
- The server responds with a custom video file that exploits the Stagefright vulnerability in an effort to extract more information about the user’s device and send it back to the attacker.
- A third video file is generated and sent to the victim from the attacker’s private server. This file, however, contains embedded malware that runs with all privileges.
This newest exploit of Stagefright leverages CVE-2015-3864 and bypasses address space layout randomization (ASLR), as Be’er explains:
“It was claimed [the bug] was impractical to exploit in the wild, mainly due to the implementation of exploit mitigations in newer Android versions, specifically ASLR. The team here at North-Bit has built a working exploit affecting Android versions 2.2 to 4.0 and 5.0 to 5.1, while bypassing ASLR on versions 5.0 to 5.1 (as Android versions 2.2 to 4.0 do not implement ASLR).”
A YouTube video of the exploit in action can be viewed below:
According to NorthBit’s report, its researchers have built a working exploit affecting Android versions 2.2 - 4.0 and
5.0 - 5.1, while bypassing ASLR on versions 5.0 - 5.1 (as Android versions 2.2 - 4.0 do not implement ASLR).
To read more about this exploit, please check out the research paper.
The report is of little consolation to Android users whose devices cannot or have not received the Stagefright patches. But in the very least, it provides some context on the threat facing users.
NoScript therefore could potentially prevent the malicious webpage’s script from successfully completing the second step of the Metaphor exploit.