New research has discovered that millions of Android users may be at risk due to a previously discovered vulnerability that was thought to have been fixed.
According to security research firm NorthBit, at least 275 million Android devices may be vulnerable to hackers. The group recently released a research paper explaining a new way to exploit a weakness in Stagefright, Android’s media server and multimedia library.
The new threat
According to NorthBit, if a user accessed a malicious website, the vulnerability could allow hackers to gain access to data and functions on the device. And while the original Stagefright exploit was described as the ‘worst ever discovered,’ this new one allows an attacker to hack Android smartphones in just seconds — by tricking users into clicking on a website that contains a malicious multimedia file.
Google has patched the vulnerability twice before, after originally being discovered in 2015.
NorthBit says hackers could effectively attack any device running Android versions 2.2 through 4.0, 5.0 and 5.1 — using the new exploit the group has named ‘Metaphor.’
But while the risk arises when a user clicks on a page containing malicious multimedia, NorthBit says you don’t even have to watch the video to get hacked.
“The vulnerability is in media parsing,” according to the research. “Which means that the victim’s device doesn’t even need to play the media.”
Parsing is when the device retrieves information about the media file.
According to the study, the attack is most effective on Google’s Nexus 5, but it also works, with some modifications, on HTC One, LG G3 and Samsung S5.
“The victim also has to linger for a time in the attack web page,” NorthBit researchers wrote. “Social engineering may increase effectiveness of this vulnerability.”
The latest version of Android, 6.0 Marshmallow, blocks this vulnerability.
Here’s a video the group put together explaining how it works: