Stagefright exploit reliably attacks Android phones

Stagefright security flaw is theoretically known to be dangerous, but it hasn't been that risky in practice. It has just been too difficult to implement on an Android device in a reliable way, according to Engadget. But now things have changed. Security researchers at NorthBit have developed a proof-of-concept Stagefright exploit, named Metaphor, which reliably compromises Android phones. The key is a back-and-forth procedure that gauges a device's defenses before diving in. Visit a website with a maliciously-designed MPEG-4 video and the attack will crash Android's media server, send hardware data back to the attacker, send another video file, collect additional security data and deliver one last video file that actually infects the device.

Though it might sound laborious, but it works quickly. A typical attack breaks into a phone within 20 seconds. And while it's most effective on a Nexus 5 with stock firmware, it's known to work on the customized Android variants found on phones like the HTC One, LG G3 and Samsung Galaxy S5.

This doesn't amount to an in-the-wild attack, and one will be fine if one is running Android 6.0 Marshmallow or any other OS version patched against Stagefright. The catch is that relatively few people are using those. Most Android users are running Lollipop or earlier, and only some of those devices have Stagefright patches, says the Engadget report.