It looks like the Stagefright flaw is a modern day horror movie franchise for Android device users, as it has returned yet again, retaining its status of being a real and consistent danger on affected devices. This is despite promises from Google to have fixed the Stagefright flaw prior.
Theoretically speaking, the Stagefright security flaw has been dangerous, but then implementing it on an Android device reliably was somewhat a saving grace before. Now, this is no longer the case according to security researchers at NorthBit, who have come up with a proof-of-concept Stagefright exploit known as Metaphor that you can see in the video above.
The main factor is a back-and-forth procedure which will size up the device’s defenses that are in place (or not), before it makes its move. For instance, if you drop by a website that has a maliciously-designed MPEG-4 video, the attack will then crash Android’s media server, before sending to the attacker hardware data, alongside another video file, picking up extra security data and delivering the coup de grace – the final video file which will perform the infection.
A typical attack is said to be able to break a phone within 20 seconds, and seems to be most effective where the Nexus 5 with stock firmware is concerned, although it also works on other customized Android variants such as the HTC One, LG G3 and Samsung Galaxy S5. However, do take note that you remain protected against this latest exploit variant should your device carry the October 1st, 2015 security update within.
Google’s advice? “Android devices with a security patch level of October 1, 2015 or greater are protected because of a fix we released for this issue (CVE-2015-3864) last year. As always, we appreciate the security community’s research efforts as they help further secure the Android ecosystem for everyone.”