In the world of Android, Stagefright security flaw is not a new thing. It has existed for years now and Android OEMs and Google have been actively patching it for quite sometime. Infact, Google promises monthly security updates with its Nexus line of devices which fixes Stagefright in its early stages – but not anymore.
Now security researchers at NorthBit have developed a Stagefright exploit, Metaphor, which compromises any Android phone reliably. In simple terms, Stagefright is an Android media library which can be exploited simply from a web browser.
Visiting any website with a malicious MPEG-4 video will crash Android’s media server. Note: Users need not playback the video. Visiting the website serves the purpose for any attacker.
Once crashed, the attacker gets the hardware data back and then the attacker can gather more data by simply sending more video files. It is a back and forth process that will eventually infect the device.
According to a report at Engadget.com, the attack sounds laborious but works quickly. Typically, it takes just 20 seconds to infect any device and Nexus 5 with stock firmware has been deemed the most effective victim.
Google says the android devices running Marshmallow or patched with security level 1 of October 1, 2015 are protected against this stagefright vulnerability.
Google’s answer brings to highlight how few devices are running Marshmallow and also the list of devices which never saw the light of security updates.
The bottomline is that a relatively recent device will protect you against Stagefright but years-old Android devices are still at risk.