(Image via Enterprise Security Today)

Last summer, it was nearly impossible to avoid the news about the Stagefright vulnerability. At the time of its unveiling, security researchers believed Stagefright to be the worst Android vulnerability to be discovered. Nearly a year after its discovery, Metaphor is the most recent embodiment of the vulnerability to rear its ugly head.

Social engineering, a popular technique used to lure victims into becoming infected with malware, plays a key role in encouraging victims to open web pages that allow the exploit to take place and for Metaphor to be fully effective.

Methods to lure victims into triggering Metaphor may include popups and links on malicious and/or hacked websites, as well as trusted websites that contain malicious content. Metaphor can also be triggered by certain ‘driveby’ social engineering tactics -- the exploit can take place when a user connects to a free, unsecured Wi-Fi network or scans a QR code advertising an innocent-looking game or app.

Essentially, Metaphor targets the same Android library (libstagefright) as the original Stagefright vulnerability but is implemented differently. To properly exploit the vulnerability, the team from NorthBit used a different method than that of Stagefright. Their implementation involves the exploitation of the CVE-2015-3864 and the Address Space Layout Randomisation (ASLR) bypass. ASLR is a technology used to stop shellcode from being successfully executed.

One of the most significant (and scary) parts about Metaphor is its ability to affect a large percentage of Android devices. The implementation of Metaphor can exploit devices that are on Android 5.0-5.1 and, in general, can affect virtually around 36.1% of Android devices. I say “virtually affected” since this exploit is not implemented to work universally. Exploitation is unique to each device encountered, and because of this, small changes in the code are needed to target and attack a specific device.

Parsing’s role in Metaphor

Media parsing still fits into the picture here. Parsing is the process of retrieving metadata such as title, artist name, subtitles, comments, and so on. Just as in the original Stagefright bug from Joshua Drake, Metaphor targets specific bugs in Android’s Stagefright library (libstagefright). These bugs can be found in the metadata parsing section of the code that lies inside libstagefright. The attack vector of Metaphor is through the execution of JavaScript via a web browser. The victim must open a specially-crafted web page that can execute JavaScript. Javascript will then be used to parse the metadata of a device-customized crafted media file and cause a heap overflow.

So how is Metaphor any different from the original Stagefright bug, then? The main feature that separates the two flaws is Address Space Layout Randomisation (ASLR) bypass. An attack will need device-specific, pre-built information in order to successfully bypass ASLR. A big database of device fingerprints (Android and device build versions) could increase the amount of devices that are vulnerable to attack.

How can users stay clear of Metaphor?

Mutating mobile malware has begun to become more and more of a common topic. To avoid coming into contact with Metaphor (and other nasty exploits), it’s crucial that individuals and businesses alike use common sense when operating mobile devices. In addition, it’s generally a good idea to take the following precautions:

• Ensure that you apply all of the monthly security OTA fixes from your mobile vendor.
• Don’t open links from emails that seem to be from people that you don’t know

For a comprehensive analysis of Metaphor, read about the exploit in NorthBit’s full report.