Stagefright-based ‘Metaphor’ exploit can take control of your phone in just 15 seconds

by: Kris CarlonMarch 17, 2016


The old Android malware beastie is at it again, with researchers uncovering a new Stagefright-based exploit that can be used to take control of your Samsung, LG or HTC phone in just 15 seconds. The working exploit has been dubbed “Metaphor” by the Israeli research team that discovered it.

Android security lockSee also: How to protect your privacy using Android18

When executed, Metaphor allows malware to be injected into a device that can access, copy and even delete data on the infected device. What’s worse is Metaphor can also be used to take control of the microphone and camera so hackers can spy on the owner and even track their location by turning on GPS. Take a look at the exploit in action below:

How does Metaphor work?

Metaphor reportedly starts with the intended victim receiving a message with a link to a video that crashes the phone’s media player and restarts it. Javascript on the page then scrapes all available data on the device and sends it to the video host server, which then sends another video file laden with the malware required to take control over the device.

While this may sound like an obvious malware situation to some, having an app crash and restart is a pretty common occurrence, one that would be likely to sucker in millions of unsuspecting users if it fell into the wrong hands. Metaphor exploits the Stagefright vulnerability uncovered last year.



The technical paper on Metaphor from Northbit states the following:

The vulnerability is in media parsing, which means that the victim’s device doesn’t even need to play the media, ­ just parse it.

Parsing is done in order to retrieve metadata such as video length, artist name, title, subtitles, comments, etc, so the intended victim doesn’t even have to play the media content on the infected page for the damage to be done. Although the researchers do note that the victim needs to linger on the page for the malware to do its thing. Hence the kittens in the video above.

While it is fortunate that Metaphor exists in researchers hands and not hackers’, the weakness it exploits is there for anyone that wants to use it. The research team have successfully run it on the Nexus 5, Galaxy S5, LG G3 and HTC One on Android versions 2.2 to 4.0, as well as on Android 5.0 and Android 5.1. Other Android versions are reportedly not vulnerable but you can bet that Google is already working on a patch for it.

You can read the technical paper here if you want to read up further.

  • Diego

    Thats it.
    I’m going windows phone.

    • no, thank you! i’d rather stick with android))

    • Wannabehacker5234

      You are crazy, apps are being pulled from their app store rather then added…

      • gg

        That will change as Microsoft bought Xamarin.

    • Frank Bank

      better hurry

  • Nallaikumaran

    Hello, Google Nexus 6P reseller site. Where is the news?

    Android Vulnerabilities Allow For Easy Root Access (NEW Nexus 6P) – http://blog.trendmicro dot com/trendlabs-security-intelligence/android-vulnerabilities-allow-easy-root-access/

    • Daggett Beaver

      From the article:

      According to Google’s February security bulletin, CVE-2016-0805 affects versions earlier than 4.4.4 to 6.0.1. We cannot comprehensively test all Android devices, but our own testing indicates the following devices are affected:

      Nexus 5
      Nexus 6
      Nexus 6P
      Samsung Galaxy Note Edge

  • aaloo

    oh android. oops you did it again.

  • I’m on 6.0.1 w/ latest (March) security update)

  • bouff

    Just want to get this straight. So if I don’t use built-in media player (I use mxplayer) and I don’t use javascript in browser my phone will be safe, right?

  • VAVA Mk2

    LOL how can you have a Nexus 5 and still be on 5.1? XD

  • Sayed ahamed

    Android is pathetic in terms of software

    • gg

      Funny how you put it. This shows that you have no clue how it’s like to build an OS or any kind of software. Look, none of these OSes are safe except OpenBSD (but that’s not an option when you want to make progress). Android is enormous and it’s maintained by thousands of developers, which is a hard thing to maintain. Next, these exploits come to be because Android is open source: people can look at the source code and find vulnerabilities. This is actually a good thing as these exploits can be fixed within literally 2 days. That’s the power of open source: everyone can contribute.

      Trust me when I say that iOS and Windows Mobile have these kind of flaws (exploits) too, probably even more than Android has! The difference is that these exploits will probably never come to light (but the exploit will be used by black hackers) and it will took years to be found by a good-hearted white hacker. It is false to claim that Android is pathetic in terms of software (Android = software, so this statement doesn’t even make sense in the first place!) while you don’t consider other Oses. Just think about this: it is better to fear and to acknowledge your flaws and take actions to fix them than to give people, that are dependent on the software you provide, a faux sense of safety and security.

      • Sayed ahamed

        Funny how all oems forget phones after they sold them atleast they are fixed on IOS

        • gg

          First you blamed Android, now you blame the OEMS? Then you conclude that they’re fixed in iOS – made by Apple (which is for the record not an OEM)? Make up your mind! As I said: Android is hard to maintain on all platforms as it’s open source. The core itself is solid and secure – more than other mobile OSes. If you want long-term support like Apple has, you should flash CyanogenMod. The rule of thumb: don’t buy an Android phone which doesn’t have an open source SOC, CyanogenMod support (community developers). Anyway, Apple has it way easier but fails in proportion more in maintaining the OS than Google. Just let that sink in for a while.

      • Peter

        “This is actually a good thing as these exploits can be fixed within
        literally 2 days. That’s the power of open source: everyone can

        And then never ever deliver those fixes to more than 75% of affected devices.

        Also, Android is NOT open source. Stop spreading that false perception. While AOSP is indeed open, the ‘full’ Android that ships on most devices is certainly not fully open source.

        The difference between iOS ? And only because you yourself mentioned it – is when something like this happens, more than 75% of devices are running the fixed version within 2 months.

        Meanwhile, most Android devices are still vulnerable to stagefright – and will continue to be so.

        • gg

          Wrong, Android itself is open source. Just look it up. You’re the one that is spreading false information. There is no such thing as “‘full’ Android”. Android itself is already a fully functional OS. That what you get from lets say Samsung is actually a heavily modified version of Android. The heart itself: Android is and will always be open source. Next, Google changed the way security updates are rolled out. There are now monthly updates which are easier to roll out as optimisation is not needed for these updates. Then again there’s something like CyanogenMod which is the only idea how Android should’ve been spread out. It’s an universal OS with day-to-day updates (Nightlies). This exploit is already fixed in the 315 build which was rolled out 4 days ago for all devices that are maintained by CyanogenMod. Check mate, iOS.

          • Scr-U-gle

            Still not fixed on the vast majority of drone devices, no matter how many days it takes to ‘fix’ the issue.

            Most still have Heartbleed issues as well as Stagefright.

            With the majority of OEMs locking down devices and only offering one update if you are lucky, I think that is called check-mate!

        • Prashant Thakur

          full android!!! lol :D

  • I’m good.

    • Angel

      That may be for an older Stagefright vulnerability. This a new one. If I recall this may be the third Stagefright vulnerability.

  • Peter

    Are we really still talking about Stagefright exploits ? Hasn’t this been dealt with like 2 years ago ? Oh wait… it was, and then delivered to probably 5% of devices…

  • Frank Bank

    I’m pretty scared about this because just the other day I was on this very happy and it said Android authority has stopped working what would you like to do next and I couldn’t answer it I was unsure what I wanted to do next so I went in made a sandwich and came back and it is still asking me that same thing but no seriously I’m scared about this I’m underneath my kitchen table because my mom says it that any disaster a table will do