Android Marshmallow
Android has been hit with a fresh Stagefright exploit dubbed 'Metaphor' that can take control of your phone Google

Millions of Android users could be at risk from another 'Stagefright' security flaw after researchers claim to have made a working exploit that can remotely take control of a device and spy on victims – all in under 20 seconds.

Dubbed 'Metaphor' by the Israel-based security firm NorthBit that created the exploit, it can give hackers the ability to inject malware that could copy, steal and delete data on the device, take over the smartphone's microphone and camera for spying purposes and even track a user's movements via GPS.

How the Metaphor exploit works

Victims are sent a message linking to a website hosting a video file that crashes the phone's media software and force it to restart. Then, JavaScript on the page sends all known information about the device straight back to the attacker's server. After this, another video file is sent to the device which executes a malware-ridden payload to give the attacker control over the device.

The researchers were able to use knowledge of the existing 'Stagefright' bug, another Android security flaw discovered in 2015 that carried out similar actions to create this fresh exploit and released a video showing how quickly it can be deployed.

What handsets are vulnerable to Metaphor virus?

According to NorthBit, the bug was successfully deployed on devices including the Nexus 5, LG G3, HTC One and Samsung Galaxy S5, and it warns that millions of devices could be at risk. The team also claims the new exploit can be used to target devices running Android 2.2, 4.0, 5.0 and 5.1 – with other versions not thought to the vulnerable.

Stagefright Android flaw

First uncovered in 2015, the Stagefright flaw quickly gained notoriety as it impacted a massive 95% of all Android devices on the market. The developer who discovered it branded it "the worst Android vulnerability discovered to date." Despite Google quickly releasing patches for devices, the fragmented nature of the Android ecosystem meant not everything could be patched at the same time. Then, only a month later, a separate vulnerability was found to be exploiting flaws in how Android devices manage MP3 and MP4 files. Dubbed 'Stagefright 2.0', the exploit was also capable of remotely unloading malicious code.

The 'Metaphor' bug is by no means the only major flaw to have hit the Android platform in recent months. Most recently, a piece of malware called Mazar Bot was uncovered, that gave attackers full administrative rights to monitor and control nearly every aspect of an infected device.