'Metaphor' Exploit Threatens Millions of Android Devices—Here's How to Stay Safe
The Stagefright exploit, which allowed for malicious code to be embedded in files on your device, is now very real in the form of Metaphor. Developed by software research company NorthBit, Metaphor is their implementation of exploits to the Stagefright library, and when executed, can access and control data on your device.
Android devices running 2.2 to 4.0 as well as 5.0/5.1 are potentially vulnerable. While testing Metaphor, NorthBit found that the exploit works on the Nexus 5, HTC One, LG G3, and Samsung Galaxy S5. There's no reason to believe it won't work on other phones as well. According to NorthBit, it was easiest to hack Google's Nexus 5, which they were able to exploit in 15 seconds.
When the server receives that data, a custom video file is generated and injected into the webpage. The video fully exploits Stagefright's vulnerability and allows the server to send malware to your phone in the form of another video file.
It can take anywhere from 15 seconds to a couple minutes for all of this to happen. Attackers need you to remain on the site for a little while, which makes this attack more insidious, as you can be tricked into thinking the site is safe. I think we can all admit we've scrolled through pages upon pages of cat pictures for more than 15 seconds at a time.
More detailed information can be found in NorthBit's report.
Hackers have either already found this vulnerability or may now exploit it due to NorthBit's research, so you do need to make sure your device is protected.
Personal responsibility is key when it comes to avoiding a Metaphor attack. The only way your device can become infected is if you click on a bad link, and you can often avoid making that mistake just by seeing where the link came from. When on a webpage or in an email, long-press on any hyperlink to view its URL. If a URL looks suspicious for any reason, avoid it.
Google should release a patch to address Metaphor shortly, but it could be a while before some devices receive it if they're tied to a carrier's update policy. Nexus devices will receive a patch directly from Google, either as a one-off fix or as part of a monthly security update.