Android's Stagefright multimedia library is the center of attention once again, now that researchers have found a new way to exploit a vulnerability that Google had already patched. This time, researchers are showing how Android phones can be hacked remotely in less than 10 seconds.
It takes a bit of phishing, but once an Android user bites on the bait — a link to a malicious website — it only takes 10 seconds, in many cases, to bend a victim's mobile device to the will of a hacker.
Israel-based research firm NorthBit discovered [pdf] the new exploit to the old vulnerability and named it "Metaphor." The researchers have released a video showing Metaphor in action and have shared a paper explaining how to leverage the Metaphor exploit.
While Metaphor relies on findings from other probes into Stagefright vulnerabilities, NorthBit said its exploit "has been proven practical to exploit in the wild."
"Our exploit works best on Nexus 5 with stock ROM," says NorthBit. "It was also tested on HTC One, LG G3 and Samsung S5; however exploitation is slightly different between different vendors. Slight modifications were needed."
The various modifications needed to attack different Android handsets cause the times to launch attacks via Metaphor to range between about 10 seconds and two minutes.
Metaphor works by crashing the mediaserver on the victim's phone, using a bit of bugged video to do the job. As the mediaserver is resetting itself; Metaphor looks for the Stagefright vulnerability and hands over the information about the victim's phone to the attack server.
From there, the attack server sends a new video file that leaks more details about the victim's mobile device. Then the attack server sends another video file —stuffed with malware — to finish the job and take control of the targeted device.
To leverage an attack using Metaphor, NorthBit says the attacker will need to know some basic information about the victim's mobile device ahead of time.
Watch the video below to see how Metaphor launches a remote attack against a poor Android handset that was directed to the wrong website.