Most people will think they won’t really know what how scary a Stagefright infection of their phone is, and that’s because it does take a good amount of work from a hacker to execute a good Stagefright hack. Or at least, it used to be hard work. Now researchers have found a way to make a Stagefright attack in multiple waves – getting hardware and security data before actually infecting your phone – all within 20 seconds or so.
The process is dubbed as Metaphor, and it leverages on the Stagefright vulnerability that affects Android’s media server. The first act is when you get lured to a website with an MP4 file that has malicious code. Your phone will attempt to play the file, and the file will crash Android’s media server while also sending back hardware data to whoever is running the hack. Another MP4 file will be sent, and this one will get data about your phones security and privacy settings. Lastly, a final file will be sent that will actually infect your phone and make it open to data mining.
It sounds like a tedious process, but the whole thing can be done in a span of 20 to 30 seconds. And while Metaphor is most effective on a Nexus 5 with stock firmware, the hack also works on customized Android variants found on the HTC One, LG G3 and Samsung Galaxy S5.
Of course, phones running Marshmallow are protected from this attack. Google also responded to this research, saying that if you have patched Android with at the very least the October 1, 2015, you should be protected. The problem is, there are a lot of Android devices out there which still run KitKat or unpatched versions of Lollipop.