Best daily deals

Affiliate links on Android Authority may earn us a commission. Learn more.

Stagefright-based 'Metaphor' exploit can take control of your phone in just 15 seconds

Security researchers have uncovered a new Stagefright-based exploit that can reportedly be used to take control of your Samsung, LG or HTCphone in just 15 seconds.
By
March 17, 2016
Android-malware

The old Android malware beastie is at it again, with researchers uncovering a new Stagefright-based exploit that can be used to take control of your Samsung, LG or HTCphone in just 15 seconds. The working exploit has been dubbed “Metaphor” by the Israeli research team that discovered it.

How to protect your privacy using Android
Features

When executed, Metaphor allows malware to be injected into a device that can access, copy and even delete data on the infected device. What’s worse is Metaphor can also be used to take control of the microphone and camera so hackers can spy on the owner and even track their location by turning on GPS. Take a look at the exploit in action below:

How does Metaphor work?

Metaphor reportedly starts with the intended victim receiving a message with a link to a video that crashes the phone’s media player and restarts it. Javascript on the page then scrapes all available data on the device and sends it to the video host server, which then sends another video file laden with the malware required to take control over the device.

While this may sound like an obvious malware situation to some, having an app crash and restart is a pretty common occurrence, one that would be likely to sucker in millions of unsuspecting users if it fell into the wrong hands. Metaphor exploits the Stagefright vulnerability uncovered last year.

stagefright

 

The technical paper on Metaphor from Northbit states the following:

The vulnerability is in media parsing, which means that the victim’s device doesn’t even need to play the media, ­ just parse it.

Parsing is done in order to retrieve metadata such as video length, artist name, title, subtitles, comments, etc, so the intended victim doesn’t even have to play the media content on the infected page for the damage to be done. Although the researchers do note that the victim needs to linger on the page for the malware to do its thing. Hence the kittens in the video above.

While it is fortunate that Metaphor exists in researchers hands and not hackers’, the weakness it exploits is there for anyone that wants to use it. The research team have successfully run it on the Nexus 5, Galaxy S5, LG G3 and HTCOne on Android versions 2.2 to 4.0, as well as on Android 5.0 and Android 5.1. Other Android versions are reportedly not vulnerable but you can bet that Google is already working on a patch for it.

You can read the technical paper here if you want to read up further.