This site may earn affiliate commissions from the links on this page. Terms of employ.

metaphor head

At this point, it's irrefutable: The Android ecosystem, splintered across untold versions and locked into place by disparate and poorly planned third-party hardware, is making you less safe. This week, Israeli security house NorthBit figured out a mode (PDF) to apply the long-known "Stagefright" vulnerability to attack literally hundreds of millions of phones. Called Metaphor, information technology could easily parallel an attack already devised by criminal hackers, who are always neck and neck with security researchers.

Anybody running a phone patched on or after Oct i, 2015 should be rubber — the trouble is not that Google doesn't know how to fix the vulnerability. Instead, the problem is that an astonishing number of devices simply cannot be updated and protected — some 275 million, according to NorthBit's analysis. That's better than the originally reported billion or so vulnerable devices, merely seen in terms of the proportion of Android users using versions two.2 through iv.0, five.0, or 5.one, information technology'south nevertheless intimidating.

Exploits based on the Stagefright issues will remain dangerous for the foreseeable future, stock-still for many more by the passage of fourth dimension than the agile efforts of technology companies.

To exist fair, Metaphor is the offset truly dangerous implementation of the Stagefright vulnerability nosotros know of — and it's fairly elaborate. It really works by doing a sort of hacker recon before actually attacking. The problem begins when a malicious MPEG4 video deliberately crashes Android'due south video server and receives a hardware fault report as advantage. Next, repeat the progress with another crash-bound video, get more than info — and then assault. The researchers say the exploit doesn't lend itself to a unmarried, monolithic attack against all handsets and must be tailored to each i, so the obvious solution was to make an exploit that could automatically tailor itself to each target.

stagefrightOn vulnerable devices, this approach can get the attackers past the phone's defenses in nearly xx seconds. Since it works more often than not via metadata, it doesn't even necessarily require whatever activation by the user. Simply loading a booby trapped page tin can be plenty to allow access. Worse, Metaphor's method of attack is also the outset to bring Android 5.0 and 5.ane into the Stagefright danger zone.

This is an existential problem for Android, and for Google in full general: Whether it'south a mobile OS or a self-driving car, the Google statement has always been that a world total of interconnected hardware and software developers will always vanquish out a unmarried, monolithic company with total command. In certain ways, they've been proven right; Apple can't provide the breadth, variety, or depression-cost options of the Android ecosystem. But how long tin can these advantages of the Android model continue to outset the increasingly apparent disadvantages in the minds of consumers?

androidIn the end, the responsibleness lies at to the lowest degree as much with device manufacturers as with Google's core Android developers. Google has lobbied companies like Samsung to be more vigilant about pushing, at least, pure security updates to their phones, with merely express success. In many cases, Android users looking to be as safe equally possible end upward being forced to "root" their phones for programmer admission — ofttimes ending the term of their warranty.

This state of affairs will continue until the user base takes greater observe of mobile security. Right now, the people nigh knowledgeable about bug are those nigh probable to take new, fully updated phones. The people well-nigh probable to be injure past the anxiety-dragging of certain hardware companies are too those least likely to know it — and thus the least likely to punish their device maker by going elsewhere side by side time.