Advertisement

We need your help now

Support from readers like you keeps The Journal open.

You are visiting us because we have something you value. Independent, unbiased news that tells the truth. Advertising revenue goes some way to support our mission, but this year it has not been enough.

If you've seen value in our reporting, please contribute what you can, so we can continue to produce accurate and meaningful journalism. For everyone who needs it.

The Samsung Galaxy S5 is one of the devices that is vulnerable to Metaphor, a new Android flaw. AP Photo/Lee Jin-man

This Android flaw could mess up your smartphone within 20 seconds

Another reminder to be careful of what you click on if you’re using an older device.

UP TO 275 MILLION Android devices could be at risk to a security flaw which installs malware and access your phone.

The flaw dubbed Metaphor works on devices running Android 5.0 – 5.1 as well as version 2 was discovered by Israeli security firm NorthBit.

The flaw is based on the Stagefright security flaw, which was originally discovered back in July, and affected close to a billion devices.

While that allowed attackers to infect a phone by sending a text message and exploiting the auto-loading feature, the process required to set it up was deemed impractical to do it consistently.

Metaphor doesn’t have that problem and Northbit claim it’s able to reliably compromise Android devices using this method. If the user visits a malicious website with a malicious MPEG-4 video, clicking on it will send a raft of data from the device back to the attacker’s computer. 

Depending on the device being affected, the process can take as little as 20 seconds to work.

The flaw is in media parsing which is done to retrieve metadata like video length, the title, and subtitles. This means the video doesn’t even need to be played for the flaw to be exploited.

Gil Dabah / YouTube

The saving grace for Android users is the attack code must be tailored to work on a specific Android device, making a universal exploit difficult to create, but the attack would only need minor modifications to work on different devices.

The flaw was tested on a Nexus 5 with stock firmware but managed to work on various versions of Android running on devices like the Samsung Galaxy S5, LG G3 and the HTC One.

Those devices with a security patch from 1 October 2015 and later are safe, but the issue is how many devices aren’t and can’t upgrade. Outside of Google’s own Nexus range, when an Android device gets upgraded depends on the manufacturer, and that can take a couple of months after release to happen.

Only 2.3% of Android users have the latest version Marshmallow (version 6.0), 36% are using Lollipop (version 5.0) while the remainder are using older versions. Many devices are older and unable to update to the latest version placing them at risk.

As always, most of these issues can be avoided once you stick to official sites and apps. If you ever get an email or message that looks suspicious, trust your gut instinct and ignore it, especially if you’re using an older device.

Android breakdown Android Developers Android Developers

Read: Facebook used different trailers for Straight Outta Compton based on race >

Read: Make sure you don’t ignore those download requests on your iPhone tonight >

Readers like you are keeping these stories free for everyone...
A mix of advertising and supporting contributions helps keep paywalls away from valuable information like this article. Over 5,000 readers like you have already stepped up and support us with a monthly payment or a once-off donation.

Author
Quinton O'Reilly
View 9 comments
Close
9 Comments
    Submit a report
    Please help us understand how this comment violates our community guidelines.
    Thank you for the feedback
    Your feedback has been sent to our team for review.
    JournalTv
    News in 60 seconds