A group of Israeli researchers reckon they’ve cracked the challenge of crafting a reliable exploit for the Stagefright vulnerability that emerged in Android last year.

In a PDF, that was basically a cookbook on how to build the exploit for yourself, has suggested millions of unpatched Android devices are vulnerable to their design, which bypasses Android’s security defenses. According to what we have found out, visiting a hacker’s web page is enough to trigger a system compromise.

These days, there is no piece of infosec that has not got a name associated a name to it. The paper, written by Hanan Be’er of North-Bit, dubs the implementation of the Stagefright exploit “Metaphor.”

Talking of Stagefright, it is basically a software library that is used by Android to parse videos and other media and it can be exploited by trapping a message or web page to execute malicious code on exposed devices.

Moreover, the paper gives a three steps process on how to exploit the Android device. When the victim surfs to a malicious web page, the latter sends a video file that crashes the operating system’s media server software to reset its internal state. Some JavaScript on the page waits for the media server to restart, and then sends information about the device over the internet to the attacker’s private server.

After this, the server then generates a custom video file that is then sent to the device that will be used to exploit the Stagefright to reveal the internal state related information of the device. This information is then sent back by the JavaScript to the attacker’s server, which uses the data to craft another video file that, when processed by Stagefright, starts executing a payload of malware embedded within the file on the victim’s handheld. This code runs with all the privileges it needs to spy on the device’s owner.