Almost 300 million phones running Google’s Android operating system are vulnerable to a newly developed drive-by attack that can install malware and take control of key operations, a security firm has warned.
A proof-of-concept exploit dubbed Metaphor works against Android versions 2.2 through 4.0 and 5.0 and 5.1, which together are estimated to run 275 million phones, researchers from Israeli security firm NorthBit said. It attacks the same Stagefright media library that made an estimated 950 million Android phones susceptible to similar code-execution attacks last year. The following video demonstrates how a malicious attacker might use a Metaphor-style attack to take control of a phone after luring an unsuspecting end user to a booby-trapped website.
The NorthBit-developed attack exploits a Stagefright vulnerability discovered and disclosed last year by Zimperium, the security firm that first demonstrated the severe weaknesses in the code library. For reasons that aren’t yet clear, Google didn’t fix the vulnerability in some versions, even though the company eventually issued a patch for a different bug that had made the Zimperium exploits possible. While the newer attack is in many ways a rehash of the Zimperium work, it’s able to exploit an information leak vulnerability in a novel way that makes code execution much more reliable in newer Android releases. Starting with version 4.1, Android was fortified with an anti-exploitation defense known as address space layout randomization, which loads downloaded code into unpredictable memory regions to make it harder for attackers to execute malicious payloads. The breakthrough of Metaphor is its improved ability to bypass it.