275mn Android users could be hacked due to software bug, says Israeli company

© Elijah Nouvelage
A newly-discovered security glitch could leave up to 275 million Android devices at risk of being hacked, an Israeli software company has warned.

Northbit claims on its LinkedIn profile to have "a competitive edge", "having recruited the most skilled team in software research from the Israeli Intelligence Corps".

They reportedly found the 'Metaphor' glitch in Stagefright, Android’s mediaserver and multimedia library, which has been open to a number of previous exploits.

As can be seen in Northbit’s video below, and detailed in its research paper, a phone user running the Google-owned software would have to click an infected link directing them to a website, which would then allow the virus to be installed on the phone, giving the hacker the ability to control the device remotely.

The hack involves bypassing a device’s "address space layout randomization" (ASLR), or for those of us who have no idea what that means, it’s a kind of memory protection process and can take anywhere between a few seconds to two minutes to complete.

"Our research managed to get it [the attack] to the level of production grade, meaning that everyone - both the bad guys and good guys, or governments - could use our research in order to facilitate it in the wild," said Northbit’s co-founder Gil Dabah, aka Arkon.

Devices running Android 2.2 to 4.0, as well as 5.0 and 5.1, are most susceptible, with Nexus 5 devices, the HTC One, LG G3, and Samsung S5 all successfully hacked by Northbit.

The company estimates, however, that around 275 million devices are open to being hacked in such a way as they either lack ASLR or can be breached with this newly-discovered method.

In 2015, there were two separate bugs discovered in Stagefright, leaving a billion devices open to exploitation when users tried to preview a song or video online.

READ MORE: Infected tune: Androids can be hacked through opening song or video, experts say

Google is expected to release a patch for the exploit, although the company has yet to confirm the action.