New Stagefright Exploit Exposes 275 Million Android Phones To Hack

Android, being an open-source operating system can be easily and quickly affected, that according to Northbit, nearly 36% of the 1.4 billion active phones running Android operating system are vulnerable to the new “Stagefright” hack, which quickly allows hackers to access data and take control over key operations. It’s now a real, consistent damger on affected mobile phones.

Well! You may know by now that how theriotically dangerous the Stagefright security flaw is, but it hasn’t been that risky as it in practice, but it’s just too difficult to implement on an Android device in a reliable way. Security researchers at NorthBit have developed a fool-proof-concept Stagefright exploit, Metaphor – reliably compromises Android phones. The firm also has claimed to exploit this remote Android hacking bug.


This new Stagefright exploit also guides black hat hackers, white hat hackers and even government spying agencies to build the Stagefright exploit for themselves, which you can check this PDF document here. However, NothBit term this exploit has the “worst ever discovered“, this news of remote Android hacking exploit is yet another war declared an Android after the Snapdragon programming mistake taking a toll on billion of Android-powered devices which have reportedly heard about.

The researchers also provided a proof-of-concept video that illustrates how easily it was for them to hack into Android phone – Nexus 5 using this exploit in just 10 seconds. They were also been successfully tested it on a Samsung Galaxy S5, LG G3 and HTC One smartphones. The key is a back-and-forth procedure that gauges a device’s defenses before diving in. If visited a website with a maliciously-designed MPEG-4-video and the attack will definitely crash the whole Android’s media server, send hardware data back to the attacker, send another video file, collect additional security data and deliver one last video file that actually infects the device.

Android 6.0 Marshmallow running devices won’t be affected or any other OS version patched against Stagefright are good to fight back. The catch is that relatively few people are in that boat, mostly Android users who are on Lollipop or earlier, and only some of those devices have Stagefright patces. You’re probably fine if you own a relatively recent device, but with a years-old Android phones is at big risk.

Here are simple steps that allow Stagefright to take control of an Android phone and they work something like this:

  • It tricks users into visiting a hacker’s web page.
  • The hacker’s web page contains a malicious multimedia file.
  • Once the user downloads the malicious multimedia file, it resets the internal state of the phone.
  • The attacker’s server then sends a custom generated video file to the affected device, exploiting the Stagefright bug to reveal more info about the device’s internal state.
  • Using the information sent by the exploit to the hacker’s server, a hacker is easily able to control your smartphone.

Update: Google has provided a response that elaborates, “you’re protected against this if your phone has least the October 1st, 2015 security update installed.” Read the full statement below.

Android devices with a security patch level of October 1, 2015 or greater are protected because of a fix we released for this issue (CVE-2015-3864) last year. As always, we appreciate the security community’s research efforts as they help further secure the Android ecosystem for everyone.”