Israeli software researchers have found a way to exploit Android’s Stagefright vulnerability, previously found to leave millions of devices susceptible to cyber attacks. Stagefright was originally described as ‘the worst Android bug ever discovered’, however the exploit – dubbed ‘Metaphor’ by its creators – marks the first time the vulnerability has been compromised in the operating environment.
According to Jan Vidar Krey, head of development at Norwegian security specialists Promon, Android’s inconsistent patching and system updates leave far too much to chance, inviting cyber attackers to try their hand at executing malware on foreign devices:
“Although Google released security patches for Stagefright vulnerabilities, not every Android phone and tablet can receive and install them, leaving a large number of devices vulnerable. Metaphor, however, is an appropriate name for the flaw, which can be viewed as being representative of Android’s history of shoddy security: heterogeneous but woefully predictable.”
Stagefright 2.0, a second critical exploit discovered by the researchers, was found to exploit weaknesses in .mp3 and .mp4 files and remotely execute malicious code.
Krey commented: “It’s not a surprise that the Stagefright vulnerability is back in the news. When it was revealed, there was no resolution to the issue: patches and updates were only available for recent models. The first hack could impact up to 95 per cent of devices, so manufacturers’ failure to address the flaw in the six months that passed since its discovery is a huge oversight. Sadly, consumers will ultimately pay the price.
Krey advised: “Android’s operating system is currently the security equivalent of shark-infested water, and the only way to guarantee secure processes is to ensure your app is completely protected. When you’re hosting sensitive information on applications, these threats pose a real concern. Instead, apps must be self-defending and able to identify malware as and when it appears. Until Android is able to straighten out its OS and stop leaning on dodgy patches, base layer app security must be upheld as the crux of a device’s security. Whether Android alone will ever be able to offer a safe environment to carry out transactions is yet to be seen, but I wouldn’t bank on it.”
