A new bug called Stagefright that affects Android devices has been discovered by security researchers. The bug could leave up to 275 million Android users at risk of attack according to a research company.
The company, NorthBit, a research software company based in Israel, claims it had exploited the bug which was previously said to be the “worst ever discovered” bug. The exploitation the company used is called Metaphor. On its LinkedIn profile, the company boasts of “a competitive edge, having recruited the most skilled teaming software research from the Israeli Intelligence Corps.”
Gil Dabah, who is the co-founder of the research company, told the reporters that if left the exploit could be altered to cause more damage. He stated that if people did not upgrade to the latest updates, then they were at a higher risk to get more affected. The bug affects Android 5 or 5.1 devices mostly of which they constitute 36 percent of the 1.4 billion mobile Android phones on the market. In a statement he said, “Our research managed to get it to the level of production grade, meaning that everyone – both the bad guys and good guys, or governments- could use our research to facilitate it in the wild.”
The news of the Stagefright bug is not new as the first discovery of the bug was in July 2015 by a security firm named Zimperium. The virus can execute remote code on Android devices and is possible to affect 95 percent of Android devices. Another version, the Stagefright 2.0 was found again in October, which was said to be able to exploit issues with .mp3 and .mp4 files. Google has done much to release software updates for the two Stagefright glitches that were in seen in 2015 and analysts will be hoping to see an update for the new exploitation on the market soon as well.
The research team says that the Stagefright can only affect Android 2.2, 4.0, 5.0 and 5.1. Other versions are safe for now. He says they managed to bypass a way, address space layout randomization (ASLR), a memory protection process which is available on Android 5.0 and 5.1 but not on 2.2 and 4.0.
After bypassing the ASLR, the video then shows one user opening a link sent in a message before the exploit sends mounds of data to the hacker’s computer. The chairman of Zimperium said that the research done by NorthBit showed that the scope of vulnerable Androids had increased. “I would be surprised if multiple professional hacking groups do not have working Stagefright exploits by now. Many devices out there are still vulnerable, so Zimperium has not published the second exploit to protect the ecosystem,” he said.
— RT (@RT_com) March 1, 2016
NorthBit’s report is enough to give hackers another way to complete exploit using the Stagefright bug, and they estimate around 275 million affected devices. Google is expected to release an update, but there has been no comment from them yet.
As always, add another layer of protection to yourself by getting a really good VPN.