The report, which focused on virus infections in Android devices all over the world, said the number of Android viruses exceeded 9.5 million in 2015, which is larger than twice the total number in the past three years.
The researchers provided a proof-of-concept (PoC) video below demonstrating the attack on an Android Nexus 5 smartphone, and the attack took no more than 20 seconds before the device was completely compromised. The company also said it had tested on the LG G3, HTC One and a Samsung Galaxy S5. “Approximately 36 percent of the 1.4 billion active Android phones and tablets run Android 5 or 5.1 and devices lacking the latest updates would be vulnerable”, NorthBit co-founder Gil Dabah was quoted as saying. Thankfully, other versions of Android don’t seem to be affected by the issue.
Stagefright: 275 Million Android devices vulnerable to new exploit: How To Protect Your Phone?
The company estimates, however, that around 275 million devices are open to being hacked in such a way as they either lack ASLR or can be breached with this newly-discovered method. 1 are vulnerable to hacking.
The bug was hacked by security research firm NorthBit, who claimed it had “properly” hacked the bug, which has been described as the “worst ever detected”.
Stagefright itself is a vulnerability in software library, written in C++, that’s built inside the the Android operating system.
In the video, the victim, who is using a Nexus 6, opens a link leading to cat photos, while NorthBit shows the exploit churning away.
That bug, called Stagefright, affects millions of handsets running Android versions 4.0, 5.0 and 5.1 as well as other versions thought to be protected because they run address space layout randomization (ASLR) within the Mediaserver component or had been patched since Stagefright was revealed last summer. In order for the security attackers to be successful in hijacking the device, they are required to perform a flow of operations.
“We managed to exploit it to make it work in the wild”, it added. Explaining the payload, the paper said, “It is possible to gain arbitrary pointer read to leak back to the web browser and gather information in order to break the ASLR”.
Originally, Gadgets 360 reports that the first Stagefright bug was first discovered in July by the Zimperium Mobile Security. The hack was said to be able to execute remote code on Android devices and could possibly affect up to 95 percent of Android devices. Stagefright 2.0 was later discovered, doing the same thing, but exploiting issues in mp3 and mp4 files.
Android users who want to protect themselves against Metaphor-style attacks should install the latest OS version if at all possible. As Ars has long reported, device manufacturers and carriers often make it impossible for customers to update without rooting their devices. People who are left using vulnerable versions have few options other than to limit the websites they visit. Update: In an e-mail received after this post went live, a Google representative wrote: “Android devices with a security patch level of October 1, 2015 or greater are protected because of a fix we released for this issue (CVE-2015-3864) last year. As always, we appreciate the security community’s research efforts as they help further secure the Android ecosystem for everyone.”