In late 2015, mobile security firm Zimperium uncovered the Stagefright bug, touted as the mother of all Android vulnerabilities.
It was reported that cybercriminals could remotely access data from a phone by just sending an MMS message with malicious code attached, which when played would install a bug inside the phone. Later, they can hijack the device and take all the sensitive details. It reportedly put more than a billion Android devices at risk of hacking
Taking note of the severity of the issue, Google successfully fixed the glitch in a few weeks and vowed to release monthly security patches to Nexus-series phones, while other Original Equipment Manufacturers (OEMs) voluntarily joined the campaign to stem the Stagefright bug.
Now, Stagefright bug has returned in a new avatar called "Metaphor", Israel-based security research firm NorthBit reported.
It is said devices running Android v5.1 and older (v5.0, v4.0, v2.2) mobile OS versions are vulnerable to the Metaphor bug, thus putting more than 275 million smartphones and tablets at risk of data theft.
Also read: Android Stagefright Bug: Everything You Need to Know
NorthBit researchers successfully used the Metaphor bug to bypass Address Space Layout Randomisation (ASLR) — a memory-protection process for operating systems (OSes) — by exploiting a flaw in the Android media server library.
How the Metaphor bug enters Android devices:
If an individual uses a smart device to visit a website containing a malicious MPEG-4 video, it crashes the device's media server and retrieves the hardware details. It will send another video clip to pull security data back to the hacker's server, and using the retrieved data, finally send a third video with the Metaphor bug to infect the smartphone.
This procedure may sound too complex for many, but researchers have managed pull this off within 20 seconds.
NorthBit co-founder Gil Dabah has put a video demo on YouTube (HERE) detailing the hacking process on a Nexus 5 smartphone, and has urged Google to take necessary measures to put a plug in the security loophole in the Android OS.
Researchers were able to perform similar hacking procedures on HTC One, Samsung Galaxy S5 and LG G3 as well.
Should Android device owners be seriously worried about the Metaphor bug?
Android device owners have been unrged not to press the panic button just yet, as there are no official reports of hackers using the Metaphor bug to steal data. It was discovered recently by NorthBit and they have escalated the issue to Google. The Android team engineers are already working on it. Metaphor bug is expected to be patched well before any cybercriminal misuses it.
Until a software patch arrives, individuals are advised to exercise caution while using smart devices to visit unreliable websites.
