Tag Archives: Northbit

AVG

When a Metaphor means more than an implied comparison

Leave a comment

You are going to want to ​think twice before clicking on that LOLCat. A new proof of concept security vulnerability, dubbed Metaphor, could affect hundreds of millions of Android users.

NorthBit, an Israeli based software research company, has created an exploit in the same software library that the Stagefright vulnerability took advantage of. You may remember that last July 950 million Android devices were put at risk by Stagefright, in which it used an MMS (multimedia messaging service) software weakness that put Android customers at the mercy of hackers who could take complete control of their phone.

Metaphor, was demonstrated by NorthBit by sending an email message with a link to cat photos. The victim clicks the link to view the adorable and hilarious cat photos but unknowingly, in the background the malware is delivered.  This exploit is a hole that allows a hacker to gain access.  This access could be used to deliver malware that could potentially take control of key operations of your phone.  In this particular example, the exploit is not instant – the user does need to engage with the content on this page for the exploit to be successful.

NorthBit’s research paper detailing the findings is not malicious, it’s for demonstrative purposes only. However, there is enough information provided that a professional hacker could use it to create their own fully working exploit and as you see in the video, to take control of some of the operations of your phone.

Since the original vulnerability was disclosed last year, Google released a number of patches that resolved Stagefright; but as we can see with this new disclosure, the media software still offers hackers a route to exploit devices.

The Metaphor exploit affects devices that are using Android Operating Systems: 5.1, 5.0, 4.0, down to 2.2 with some devices more vulnerable than others.

If you have an Android phone, what should you keep in mind?

  • Be cautious of clicking on links from senders you do not recognize: In the example with the cat photos, the victim is opening the MMS it based on emotion around the content. If you don’t recognize it then don’t open it (no matter how cute or grumpy the cat is)!

And remember, the content could be targeted to something that you might be interested in, for me this would be motorbikes.

  • Always download and accept the updates to the operating system: While many phones do this by default some older versions do not. Keep in mind that patching your phone today may not fix this issue but it could fix other issues, so it’s always a good idea to run the updates.
  • Ask Questions: If you are unsure whether there are updates or how to download them a simple internet search should help. If you’re still unsure then contact your carrier.

 

Follow AVG on Twitter @AVGFree

Follow me on Twitter @TonyatAVG