Stagefright Variant ‘Metaphor’ Puts Millions Of Samsung, LG and HTC Phones At Risk

Millions of Android users are at risk of a new Metaphor exploit that can take over Samsung, LG and HTC phones in under 20 seconds. The hack gives attackers access to the targeted phones including the ability to inject malware and take control over key smartphone functions.

Discovered by Israeli-based security firm NorthBit, the vulnerability is yet another flaw tied to the maligned Stagefright vulnerability in Android. Affected phones are Nexus 5, LG G3, HTC One and Samsung Galaxy S5 handsets. NorthBit also claims phones running Android 2.2, 4.0, 5.0 and 5.1 are also at risk to Metaphor.

Metaphor works by sending a message to the victim containing a link to a website hosting a video. Victims attempting to load the video experience a crashing of the video player, according to NorthBit researchers. As the video player crashes and restarts, data regarding the smartphone’s hardware and software are transmitted to an attacker who can check for the presence of the vulnerability. Next, a new video is sent to the phone along with malware that is exploited within the phone’s mobile browser that gives attackers control over the phone.