New Stagefright exploit: Metaphor

[PereDroid]

A research Company in Israel has discovered a new, and more importantly, reliable way, to use the Google Stagefright bug to hack your phone. They are calling it "Metaphor." Unlike the previous vulnerability, which was triggered by a video in an MMS message, this one can be triggered simply by visiting a web page. They even released a paper explaining in detail what you need to do to create this exploit.

There is some good news: if you are on Marshmallow 6.0+ you are not vulnerable to this. Also, if your manufacturer released an official Stagefright patch from the first vulnerability, you are also safe. The other 95% of you? Be careful out there!

Edit: Google has not confirmed what I edited out.

Source: The Register

 

[DesktopDevin]

Gotta call bull hockey on the 6.0 is protected , had to wipe my phone yesterday after a banner ad started slamming me with pop-ups in chrome claiming I had won a prize from amazon with links to "claim my prize" I captured the links it was wanting me to click on along with screen shots and forwarded it to amazon I wont post the link but here are the screenshots

 

[Jonny Kansas]

Gotta call bull hockey on the 6.0 is protected , had to wipe my phone yesterday after a banner ad started slamming me with pop-ups in chrome claiming I had won a prize from amazon with links to "claim my prize" I captured the links it was wanting me to click on along with screen shots and forwarded it to amazon I wont post the link but here are the screenshots

There's a difference between these advertising popups and the Stagefright (or Metaphor) exploit. One might lead to another, but seeing popups doesn't mean you're not protected from this exploit if you're running the proper software.

 

[PereDroid]

Yea, that's just something you got from a sketchy website. You could have fixed that easier then doing a full on FDR. If you were "Metaphore'd" you probably wouldn't even know it right away. It sounds to me that Metaphor would be more likely to be used to spy on what you do on your phone...not serve pop ups.

 

[Mustang02]

"Android devices with a security patch level of October 1, 2015 or greater are protected because of a fix we released for this issue (CVE-2015-3864) last year. As always, we appreciate the security community's research efforts as they help further secure the Android ecosystem for everyone.

 

[Mustang02]

Non issue.

 

[DesktopDevin]

Yea, that's just something you got from a sketchy website. You could have fixed that easier then doing a full on FDR. If you were "Metaphore'd" you probably wouldn't even know it right away. It sounds to me that Metaphor would be more likely to be used to spy on what you do on your phone...not serve pop ups.

If you want to call careerbuilder "sketchy" then fine by me.

I have seen banner ads infect machines from all walks of websites due to the fact that the website is not sketchy but the sales person that sells the adspace is so desperate for ad money that they don't check the content of the ads that are running in their available space.

And to me doing a full wipe is no big deal as any major files or info is backed up in offline storage and can be restored in a very short time. I would much rather take the time to do a full wipe and know that I am secure after a compromise and yes runaway popups that come up even after force closing chrome and rebooting I would consider a compromise of my system.

Yea it's not metaphor but it is something i definitely don't want hanging around.

A clean phone is a happy phone!