Almost 300 million phones running Google’s Android operating system are vulnerable to a newly developed drive-by attack that can install malware and take control of key operations, a security firm has warned.
A proof-of-concept exploit dubbed Metaphor works against Android versions 2.2 through 4.0 and 5.0 and 5.1, which together are estimated to run 275 million phones, researchers from Israeli security firm NorthBit said. It attacks the same Stagefright media library that made an estimated 950 million Android phones susceptible to similar code-execution attacks last year. The following video demonstrates how a malicious attacker might use a Metaphor-style attack to take control of a phone after luring an unsuspecting end user to a booby-trapped website.
The NorthBit-developed attack exploits a Stagefright vulnerability discovered and disclosed last year by Zimperium, the security firm that first demonstrated the severe weaknesses in the code library. For reasons that aren’t yet clear, Google didn’t fix the vulnerability in some versions, even though the company eventually issued a patch for a different bug that had made the Zimperium exploits possible. While the newer attack is in many ways a rehash of the Zimperium work, it’s able to exploit an information leak vulnerability in a novel way that makes code execution much more reliable in newer Android releases. Starting with version 4.1, Android was fortified with an anti-exploitation defense known as address space layout randomization, which loads downloaded code into unpredictable memory regions to make it harder for attackers to execute malicious payloads. The breakthrough of Metaphor is its improved ability to bypass it.
"They’ve proven that it’s possible to use an information leak to bypass ASLR," Joshua Drake, Zimperium’s vice president for platform research and exploitation, told Ars. "Whereas all my exploits were exploiting it with a brute force, theirs isn’t making a blind guess. Theirs actually leaks address info from the media server that will allow them to craft an exploit for whoever is using the device."
The other big advance offered by Metaphor is that it works on a wider base of phones. Previous patches published by Google make anyone with version 5.1 or higher immune, and in some cases those may also protect users of 4.4 or higher, Drake said. Metaphor, by contrast, exposes users of 5.1, which is estimated to run on 19 percent of Android phones. Currently, Metaphor works best on Nexus 5 models with a stock ROM, but it also works on the HTC One, LG G3, and Samsung S5, the company said. Depending on the vendor, a drive-by attack requires anywhere from 20 seconds to two minutes to work.