Hackers find Metaphor Android Exploit

There is a new exploit that has been found to attack the previously known security weakness in the Android Stagefright multimedia library. The exploit lets a hacker take over an Android device. Here we explain how it works, what versions of Android it affects, and when you can expect it to be fixed on your phone or tablet. It turns out getting the update on your phone can take a long time.

StageFright MPEG Buffer Overflow
The Israeli security firm NorthBit, wrote a new exploit of the Stagefright security weakness. The actual weakness was discovered last year. They named their hack the Metaphor exploit. Here is a video showing it attacking a phone.

In a paper by Hana Be’er of Northbit, the author writes that attacking Stagefright was “... a feat previously considered incredibly difficult to reliably perform.” Sounds like he is bragging.  

The weakness affects Android version 2.2-4.0 and 5.0-5.1

To write the exploit, the Israeli firm studied the Android source code for processing MPEG video files. The MPEG video format includes a string field and a field that denotes the length of the string field. The exploit is executed by creating a MPEG file where the length field is different than the actual length of the data.  

A hacker would deploy this by using a phishing attack to lure someone into going to an infected web page. That web page would contain video in the HTML tag of the page, thus causing the browser to load that. Or it could use JavaScript.

Buffer Overflow Attack Defined
The exploit uses the buffer overflow approach. The Israeli programmers found that they could change the size field to be different than the actual length of the string field in the MPEG file, thus letting them overflow the buffer and gain access to the machine.

metaphor android exploit

To illustrate what that means consider this: Suppose a field is of, say, length 10 and contains these characters (“0123456789”). Per the MPEG standard there is another field size=10, so that the whole structure looks like this:

String buffer “01234567890”;
Int size 10

Then by changing size to some other value the hackers could make the string field buffer look like this:

String buffer “malicious computer code;
Int size 10

Which is out of whack.

When the Android device reads the buffer field, the “malicious computer code” causes the program to change the memory pointer. In other words, the hacker tells the program to read memory that it outside the bounds of the running program. In this way they gain access to the memory of the Android operating system. So they can take over the flow logic of the program and make it execute the instructions that they want. An ordinary Android app cannot do this, as those are written in Java, which does not let the programmer control memory addresses.

The way a hacker executes a buffer overflow attack is they put assembly language code into the memory instead of characters that would, in this case, represent an MPEG video. When a program reads assembly language instead of data, that causes it to load the instructions put there. Hackers call this shell code.

Assembly language are low-level commands like add and jmp (jump, or go to a specific memory address). They are very low-level steps that a programmer would not normally have to do. Android is written in C++ language. C++ when compiled translates to assembly language. Basically no one but hackers use Assembly language anymore (There are exceptions.) as there is no need to use something so tedious.

When will Your Phone get Patched?
So having found another way to exploit this weakness, and having published it for every hacker to read, is your phone affected and when might it be patched? It turns out the answer to that is rather complicated.

The authors note that there are 235 million devices worldwide with Android version 5.0-5.1. And there are 40 million with Android 2.x devices without address randomization (ASLR), which also have that weakness.

Android has been patched. Whether that update has reached your phone depends on a lot of factors.

First, Android patches are released by the phone manufacturer and the wireless carriers and not Google. This is because each manufacturer and carrier takes the Android opensource code and changes it to brand it with their logo and own tools. Then they put that on the phones that they build for each carrier.

Going back and patching all of that requires coordination between the wireless carriers and the phone manufacturers.

If you study how that works, it can take seemingly forever to do that. In the case of really old phones, they never do that at all.

Samsung explains that changes are tested in different foreign countries and have to be approved by Google too. (They do not explain why Google has to approve it. It must be a part of the Android license arrangement. Open source software, even though it is free to use, comes with different types of licenses.)

For example, Samsung’s latest updates were released in February of this year. Google phones (which are actually manufactured by someone else for Google) sends out updates monthly.

And then there is the issue of who is going to push out these updates and when. For cell phones, that is up to your wireless carrier. If you have a contract with your cell phone with, for example, Verizon, they sent out security updates for LG models this year in March. As for unlocked devices, the process is the same.

Cell phone updates are not sent out using the internet protocols. Instead they come as over-the-air update instructions from your wireless carrier. Those use the same protocol as when the carrier activates your phone. Tablets and other devices that run Android and have no cellular capability would be updated directly by the manufacturer using internet protocols, like HTTP.

So is your phone patched? It depends on what version of Android you have and in particular the build number. You can read about that here at Android Central.

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal