New Stagefright exposing Android's 'fundamental' issues

A new Stagefright-based malware has been spotted, one which can take control of a victim's Android smartphone, get access to all of its data, use the microphone and the camera to spy on the victim, and even use the device's GPS to track the phone.

The malware was named Metaphor, by the Israeli research team NorthBit that actually created it.

It works in a similar fashion to the original Stagefright: first the victim gets a message with a link to a video file. Once pressed, the video crashes the media player app and restarts it. This time, however, Javascript will load another video file, infected with malware needed to take over the device.

Commenting on the vulnerability, vice president of research at security firm Veracode, Chris Eng, said that Android is showing ‘fundamental security issues’: “With the discovery of the ‘Metaphor’ vulnerability, 2016 is the third year in a row when a serious application exploit has been discovered which could impact millions of devices. With all devices running Android 2.2, 4.0, 5.0 and 5.1 now at risk (which includes popular phones including the HTC One and the Samsung Galaxy S5), once again this flaw highlights the fundamental security issues that spans the entire software spectrum.”

He also said patching is always a problem with Android, because of multiple manufacturers and carriers that split the responsibility of patching the devices:

“Patching application vulnerabilities is especially challenging for the Android community with the number of different manufactures and carriers charged with the responsibility of issuing patches to devices. As with Stagefright, we anticipate that Google will be quick to issue a patch to resolve this problem. However, we hope that we don’t see a replay of Stagefright 2.0 where many of the patches hadn’t been rolled out to end-users.”