If you're an Android owner, you have probably already heard of Metaphor - a scary-sounding exploit for the Stagefright flaw found in Google's mobile operating system last year.
The media is hyping Metaphor, discovered by researchers at Israeli security firm NorthBit, as the first reliable exploit of Stagefright, which was judged by some to be too difficult to take advantage of.
Stagefright is a media library within Android that allows the operating system to interpret various media, namely video files, audio files, and picture files.
The Stagefright bug, and later version of it, exploits integer overflow vulnerabilities in the Stagefright software library, which can allow an attacker to hijack a device.
How Metaphor works, and why it's dangerous
So far, so scary. But what a lot of the reporting of this new Stagefright bug overlooks is the reason why so many Android devices are still vulnerable to this type of attack.
The problem with protecting against Metaphor, and against all Android vulnerabilities, is more to do with the way that Android is distributed than anything else. Namely, because Android is adapted and reskinned by each vendor, the roll out of new OS versions across all Android devices is painfully slow.
So, while Android Marshmallow and Lollipop both come with Stagefright patches in place, that's cold comfort to the 62 per cent of users whose phones do not run either of those operating systems.
These users are left vulnerable to attack simply because their devices do not yet support the latest operating system, even if it is relatively new.
How to beat Metaphor
However, users are not completely helpless in the face of Metaphor - not clicking on strange or unexpected links, stopping pages that try to redirect you, or exiting a page if it seems to be doing something strange could help thwart an attack, as it requires users to stay on the malicious page for up to two minutes in some cases.
But ultimately, it is up to the Android ecosystem to work out how to roll out updates faster, because leaving users as sitting ducks is not only unsafe, it's also unfair.
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2023.
Jane McCallion is ITPro's deputy editor, specializing in cloud computing, cyber security, data centers and enterprise IT infrastructure. Before becoming Deputy Editor, she held the role of Features Editor, managing a pool of freelance and internal writers, while continuing to specialise in enterprise IT infrastructure, and business strategy.
Prior to joining ITPro, Jane was a freelance business journalist writing as both Jane McCallion and Jane Bordenave for titles such as European CEO, World Finance, and Business Excellence Magazine.
Magika, Google's new AI security tool, helps users identify malware at rapid speed - and it's free to access on GitHub
What is a green data center and why are they attracting big investment?
Mark Zuckerberg: Tech layoffs in 2024 have been a natural response to pandemic-era overhiring