A new exploit of a previously discovered Stagefright vulnerability (CVE20153864) was discovered by a boutique cybersecurity firm based in Israel. The firm, North-Bit, published a report detailing the newly discovered “fast, reliable and stealthy” exploit of the vulnerability.
A chilling video demonstrates the attack in real time by showing a device being compromised in seconds simply by a user visiting an attacker's malware-infected webpage. The flaw affects Android's Stagefright, the mediaserver software library that security researcher Joshua Drake discovered last year affected more than a billion Android devices. Dubbed Metaphor, the new exploit affects approximately 36 percent of 1.4 billion active Android devices, according to the company.
A Google spokesperson confirmed to SCMagazine.com that this was a known issue and stated that patched devices are protected.
The research report, written by North-Bit's Hanan Be'er, said their execution of the vulnerability works best a Nexus 5 device, but the report also said the team exploited HTC One, LG G3, and Samsung S5 devices, though the exploit method is slightly different using each device.
The report stated that devices running Android 5.0 Lollipop or v5.1, the affected operating systems, account for approximately 36 percent of Android's 1.4 billion active devices.
Founded in 2012, North-Bit is based in Herzliyah, the country's high-tech development region. Earlier this month, the firm penned a deal with HP to develop automated testing tools to be used by mobile application developers.