NorthBit Releases Metaphor Source on Github

NorthBit Releases Metaphor Source on Github

We may earn a commission for purchases made using our links.

NorthBit Advanced Software Research released on Thursday source code related to their Metaphor exploit of Stagefright to the public. Metaphor has been making its run through the news cycle due to the large footprint of devices likely affected.

NorthBit estimated the number of affected devices was at least 235 million – those running 5.0 or 5.1. Older versions of Android would also be affected, though they are likely vulnerable to far more exploits beyond this one. It also has received more attention compared to other security bugs due to its relationship with the original Stagefright issues.

As described in their whitepaper, Metaphor exploits exploit CVE-2015-3864. This bug may seem familiar as it was created by an improper patch of a previous Stagefright bug. More about the issues with Stagefright were previously detailed by Developer Admin pulser_g2. You can read both about the original bugs themselves and an example of how it was exploited. Google’s own Project Zero team also provides a similar example of how this particular vulnerability can be exploited as well as a look into their internal debate on how to address this bug.

Fortunately those who may be in the list of affected devices may not be affected any longer. A patch was already released by Google in the September 2015 Nexus Security Bulletin. Devices running 6.0 or higher should not be affected by this exploit. In addition, devices running a recent 5.1 build of open-source alternative builds such as CyanogenMod or OmniROM should also be unaffected. And if your manufacturer has been keeping up with security updates from Google, it’s likely that the exploit has been patched.

The source for the Metaphor implementation can be found here.

Readers: What do you think? Does the release of this source code lead to easier and possibly further exploitation of the vulnerability? Or since it has already been patched is it not as big of an issue as it is being made out to be? Sound off and let us know what you think in the comments below!