NorthBit Releases Metaphor Source on Github

NorthBit Releases Metaphor Source on Github

NorthBit Advanced Software Research released on Thursday source code related to their Metaphor exploit of Stagefright to the public. Metaphor has been making its run through the news cycle due to the large footprint of devices likely affected.

NorthBit estimated the number of affected devices was at least 235 million – those running 5.0 or 5.1. Older versions of Android would also be affected, though they are likely vulnerable to far more exploits beyond this one. It also has received more attention compared to other security bugs due to its relationship with the original Stagefright issues.

As described in their whitepaper, Metaphor exploits exploit CVE-2015-3864. This bug may seem familiar as it was created by an improper patch of a previous Stagefright bug. More about the issues with Stagefright were previously detailed by Developer Admin pulser_g2. You can read both about the original bugs themselves and an example of how it was exploited. Google’s own Project Zero team also provides a similar example of how this particular vulnerability can be exploited as well as a look into their internal debate on how to address this bug.

Fortunately those who may be in the list of affected devices may not be affected any longer. A patch was already released by Google in the September 2015 Nexus Security Bulletin. Devices running 6.0 or higher should not be affected by this exploit. In addition, devices running a recent 5.1 build of open-source alternative builds such as CyanogenMod or OmniROM should also be unaffected. And if your manufacturer has been keeping up with security updates from Google, it’s likely that the exploit has been patched.

The source for the Metaphor implementation can be found here.

Readers: What do you think? Does the release of this source code lead to easier and possibly further exploitation of the vulnerability? Or since it has already been patched is it not as big of an issue as it is being made out to be? Sound off and let us know what you think in the comments below!

About author

Daniel Moran
Daniel Moran

As XDA's PC Hardware Editor, we continue to take a look at how developers can best take advantage of the hardware offerings in the market. Our focus remains on Linux and relevant discussion for developers; but we also will take time to look at other components as many of our developers use these systems for many other reasons.I continue to offer coverage on mobile and other technology relevant to our audience, especially as PC and mobile hardware lines begin to blur. I also have a tendency to refer to my career and experiences as relevant to our discussions on XDA.