Why Metaphor Android phone hack isn't the Stagefright exploit you expect

Metaphor relies on poor Android patches, but users can still fend off attacks

If you're an Android owner, you have probably already heard of Metaphor - a scary-sounding exploit for the Stagefright flaw found in Google's mobile operating system last year.

The media is hyping Metaphor, discovered by researchers at Israeli security firm NorthBit, as the first reliable exploit of Stagefright, which was judged by some to be too difficult to take advantage of.

Advertisement - Article continues below

Stagefright is a media library within Android that allows the operating system to interpret various media, namely video files, audio files, and picture files.

The Stagefright bug, and later version of it, exploits integer overflow vulnerabilities in the Stagefright software library, which can allow an attacker to hijack a device.

How Metaphor works, and why it's dangerous

Unlike previous Stagefright exploits, Metaphor relies on JavaScript, rather than MMS, so users would need to be coaxed into visiting a compromised or malicious site and remaining there for some time while the attack took place.

So far, so scary. But what a lot of the reporting of this new Stagefright bug overlooks is the reason why so many Android devices are still vulnerable to this type of attack.

The problem with protecting against Metaphor, and against all Android vulnerabilities, is more to do with the way that Android is distributed than anything else. Namely, because Android is adapted and reskinned by each vendor, the roll out of new OS versions across all Android devices is painfully slow.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

So, while Android Marshmallow and Lollipop both come with Stagefright patches in place, that's cold comfort to the 62 per cent of users whose phones do not run either of those operating systems.

These users are left vulnerable to attack simply because their devices do not yet support the latest operating system, even if it is relatively new.

How to beat Metaphor

However, users are not completely helpless in the face of Metaphor - not clicking on strange or unexpected links, stopping pages that try to redirect you, or exiting a page if it seems to be doing something strange could help thwart an attack, as it requires users to stay on the malicious page for up to two minutes in some cases.

But ultimately, it is up to the Android ecosystem to work out how to roll out updates faster, because leaving users as sitting ducks is not only unsafe, it's also unfair.

Featured Resources

The case for a marketing content hub

Transform your digital marketing to deliver customer expectations

Download now

Fast, flexible and compliant e-signatures for global businesses

Be at the forefront of digital transformation with electronic signatures

Download now

Why CEOS should care about the move to SAP S/4HANA

And how they can accelerate business value

Download now

IT faces new security challenges in the wake of COVID-19

Beat the crisis by learning how to secure your network

Download now
Advertisement

Recommended

Visit/security/encryption/355820/k2view-innovates-in-data-management-with-new-encryption-patent
encryption

K2View innovates in data management with new encryption patent

28 May 2020
Visit/software/video-conferencing/355410/zoom-50-adds-256-bit-encryption-and-ui-refresh
video conferencing

Zoom 5.0 adds 256-bit encryption to address security concerns

23 Apr 2020
Visit/security/hacking/355382/whatsapps-flaw-shoulder-surfing
hacking

WhatsApp flaw leaves users open to 'shoulder surfing' attacks

21 Apr 2020
Visit/security/cyber-security/355368/microsoft-builds-ai-to-detect-security-flaws-with-99-accuracy
cyber security

Microsoft AI can detect security flaws with 99% accuracy

20 Apr 2020

Most Popular

Visit/operating-systems/microsoft-windows/355812/microsoft-warns-against-installing-windows-10-may-2020
Microsoft Windows

Microsoft warns users not to install Windows 10's May update

28 May 2020
Visit/infrastructure/server-storage/355785/dell-emc-poweredge-r7525-review-an-epyc-core-density-to-make
Server & storage

Dell EMC PowerEdge R7525 review: An EPYC core density to make Intel weep

26 May 2020
Visit/infrastructure/network-internet/355792/intel-releases-wi-fi-and-bluetooth-driver-updates-for
Network & Internet

Intel releases Wi-Fi and Bluetooth driver updates for Windows 10

26 May 2020