An Israeli security firm identified a lingering vulnerability in older versions of the OS.
The Israeli security firm NorthBit has demonstrated an exploit that could allow hackers to access data and functions on a wide range of versions of Android, after users access malicious websites. The vulnerability that makes the hack possible exploits an Android code library called “Stagefright,” which processes several media formats. It was discovered last year, but apparently Google GOOG -0.02% didn’t fix the weakness in all versions of Android.
As reported by Ars Technica, NorthBit has named its exploit “Metaphor.” Vulnerable versions of Android include versions 2.2 through 4.0, as well as 5.0 and 5.1. Altogether, about 275 million phones run those versions.
The exploit does have two significant limiting factors. First, it has to execute different code to hijack each specific model of phone, making it more difficult for a hacker to deploy it at massive scale without building many different versions.
It is also effectively blocked in the latest version of Android, 6.0 Marshmallow, and Google has said a security patch released in October of 2015 protects some older installs.
As Ars points out, however, updating to the latest operating system is not easy or even possible on all Android phones, so the best security advice is still pretty much the oldest one in the book—don’t click on unknown web addresses from untrusted sources.
END
Be the first to comment