#Open journalism No news is bad news

Your contributions will help us continue to deliver the stories that are important to you

Support The Journal
Dublin: 13°C Sunday 20 June 2021

This Android flaw could mess up your smartphone within 20 seconds

Another reminder to be careful of what you click on if you’re using an older device.

The Samsung Galaxy S5 is one of the devices that is vulnerable to Metaphor, a new Android flaw.
The Samsung Galaxy S5 is one of the devices that is vulnerable to Metaphor, a new Android flaw.
Image: AP Photo/Lee Jin-man

UP TO 275 MILLION Android devices could be at risk to a security flaw which installs malware and access your phone.

The flaw dubbed Metaphor works on devices running Android 5.0 – 5.1 as well as version 2 was discovered by Israeli security firm NorthBit.

The flaw is based on the Stagefright security flaw, which was originally discovered back in July, and affected close to a billion devices.

While that allowed attackers to infect a phone by sending a text message and exploiting the auto-loading feature, the process required to set it up was deemed impractical to do it consistently.

Metaphor doesn’t have that problem and Northbit claim it’s able to reliably compromise Android devices using this method. If the user visits a malicious website with a malicious MPEG-4 video, clicking on it will send a raft of data from the device back to the attacker’s computer. 

Depending on the device being affected, the process can take as little as 20 seconds to work.

The flaw is in media parsing which is done to retrieve metadata like video length, the title, and subtitles. This means the video doesn’t even need to be played for the flaw to be exploited.

Source: Gil Dabah/YouTube

The saving grace for Android users is the attack code must be tailored to work on a specific Android device, making a universal exploit difficult to create, but the attack would only need minor modifications to work on different devices.

The flaw was tested on a Nexus 5 with stock firmware but managed to work on various versions of Android running on devices like the Samsung Galaxy S5, LG G3 and the HTC One.

Those devices with a security patch from 1 October 2015 and later are safe, but the issue is how many devices aren’t and can’t upgrade. Outside of Google’s own Nexus range, when an Android device gets upgraded depends on the manufacturer, and that can take a couple of months after release to happen.

Only 2.3% of Android users have the latest version Marshmallow (version 6.0), 36% are using Lollipop (version 5.0) while the remainder are using older versions. Many devices are older and unable to update to the latest version placing them at risk.

As always, most of these issues can be avoided once you stick to official sites and apps. If you ever get an email or message that looks suspicious, trust your gut instinct and ignore it, especially if you’re using an older device.

Android breakdown Source: Android Developers

Read: Facebook used different trailers for Straight Outta Compton based on race >

Read: Make sure you don’t ignore those download requests on your iPhone tonight >

About the author:

Quinton O'Reilly

Read next:


This is YOUR comments community. Stay civil, stay constructive, stay on topic. Please familiarise yourself with our comments policy here before taking part.
write a comment

    Leave a commentcancel