Nearly a year after the discovery of Stagefright, Metaphor is the most recent exploit of the vulnerability to rear its ugly head.
(Image via Enterprise Security Today)
Last summer, it was nearly impossible to avoid the news about the Stagefright vulnerability. At the time of its unveiling, security researchers believed Stagefright to be the worst Android vulnerability to be discovered. Nearly a year after its discovery, Metaphor is the most recent embodiment of the vulnerability to rear its ugly head.
Social engineering, a popular technique used to lure victims into becoming infected with malware, plays a key role in encouraging victims to open web pages that allow the exploit to take place and for Metaphor to be fully effective.
Methods to lure victims into triggering Metaphor may include popups and links on malicious and/or hacked websites, as well as trusted websites that contain malicious content. Metaphor can also be triggered by certain ‘driveby’ social engineering tactics — the exploit can take place when a user connects to a free, unsecured Wi-Fi network or scans a QR code advertising an innocent-looking game or app.
Essentially, Metaphor targets the same Android library (libstagefright) as the original Stagefright vulnerability but is implemented differently. To properly exploit the vulnerability, the team from NorthBit used a different method than that of Stagefright. Their implementation involves the exploitation of the CVE-2015-3864 and the Address Space Layout Randomisation (ASLR) bypass. ASLR is a technology used to stop shellcode from being successfully executed.
One of the most significant (and scary) parts about Metaphor is its ability to affect a large percentage of Android devices. The implementation of Metaphor can exploit devices that are on Android 5.0-5.1 and, in general, can affect virtually around 36.1% of Android devices. I say “virtually affected” since this exploit is not implemented to work universally. Exploitation is unique to each device encountered, and because of this, small changes in the code are needed to target and attack a specific device.
Parsing’s role in Metaphor
So how is Metaphor any different from the original Stagefright bug, then? The main feature that separates the two flaws is Address Space Layout Randomisation (ASLR) bypass. An attack will need device-specific, pre-built information in order to successfully bypass ASLR. A big database of device fingerprints (Android and device build versions) could increase the amount of devices that are vulnerable to attack.
How can users stay clear of Metaphor?
Mutating mobile malware has begun to become more and more of a common topic. To avoid coming into contact with Metaphor (and other nasty exploits), it’s crucial that individuals and businesses alike use common sense when operating mobile devices. In addition, it’s generally a good idea to take the following precautions:
- Ensure that you apply all of the monthly security OTA fixes from your mobile vendor.
- Don’t open links from emails that seem to be from people that you don’t know
For a comprehensive analysis of Metaphor, read about the exploit in NorthBit’s full report.