Android Devices at Risk to New Android Exploit

By Jake Ke / 1459055659
Google has released an Android N preview that includes split-screen multitasking such as drag and drop for text box content

Millions of Android devices are vulnerable to attack, after the security researchers found a new way to exploit these type of device. Google was successful in patching the older vulnerability previously; however, North Bit, software Research Company based in Herzliya, Israel, published a paper and declared that it has "properly" exploited a bug in the Android devices.

This Android bug was considered as the "worst ever discovered." This new weakness, called Metaphor, is detailed in the PDF and the video. Metaphor was found in Stagefright, Android's media server as well as in multimedia library. It was found that the program runs best on Google's Nexus 5 with stock ROM. HTC's One, LG's G3 and Samsung's S5 are at risk with 'slight modifications'. Android devices with versions 2.2 through 4.0 and 5.0 and 5.1 are susceptible to attack.

With little bit of social networking, the victim has to be tricked to finish the exploit. Upon clicking on a link containing a malicious MPEG-4 multimedia file and then staying for a while on that Web page the exploit runs.

Android media server is then crashed by the file and needs resetting the system.Once rebooted, the site progressively sends device data to the attacker's server. The exploit time can be few seconds to two minutes. The exploit time can be reduced drastically with some sophisticated methods. The whole process can be completed in 20 seconds in the demo given published by North Bit.

In late July, Stagefright debuted after the discovery of bug in Google's mobile operating system. This was discovered by Joshua Drake, Zimperium researcher. At that time 950 million devices were at risk.

Approximately 275 million devices run on susceptible versions. However, exact number of potentially susceptible devices is hard to comprehend. Google released a patch for the Android bug. Also, Google has promised regular security updates for the same.