In what could be seen as a truly alarming sign for millions of Android users across the world, a group of Israeli security researchers recently claimed to have successfully exploited the Stagefright bug to remotely hack a phone.
According to the study conducted by NorthBit, a software research company based out of the Middle Eastern nation, the threat is indeed real and could genuinely affect unsuspecting users if cyber criminals pulled off the same tricks that they themselves used to exploit the vulnerability.
Called Metaphor, the exploitation has been detailed in a research paper (PDF) published by the company. NorthBit also released a video showing how the vulnerability could be exploited to hack into a Nexus 5.
The exploit was tested positively on a range of other devices too, including the HTC One, Samsung Galaxy S5, LG G3, and more.
Stagefright is essentially a software library that Google uses to parse videos as well as other media. A known way to exploit it is by setting up a booby-trapped web page or message that activates shortly after infiltration and executes malicious codes on the vulnerable devices.
According to the NorthBit research paper, the exploit can be accomplished in a three-phase method. First, the target surfs to a malicious web page that forwards a video file designed specifically to crash the operating system’s media server software and then rolls it back to its internal state.
In phase-II, strings of JavaScript on the malicious page wait for the media server software to restart and then use the victim’s internet connection to dispatch vital information about the affected device to the attacker’s private server. The server then generates and sends a custom video file to the affected device which then exploits the loopholes in Stagefright and force it to reveal more into about the internal system of the device.
In the third and final phase, all information thus collected are relayed back to the attacker’s server, which is again reused to craft a new video file that releases a payload of malware when Stagefright tries to process it.