'Millions' of Android phones vulnerable to new Stagefright exploit
(changed title to make it clearer)
http://www.theregister.co.uk/2016/03/17/stagefright_aslr_bypass/
A group of Israeli researchers reckon they've cracked the challenge of crafting a reliable exploit for the Stagefright vulnerability that emerged in Android last year.
In a paper [PDF] that's a cookbook on how to build the exploit for yourself, they suggest millions of unpatched Android devices are vulnerable to their design, which bypasses Android's security defenses. Visiting a hacker's webpage is enough to trigger a system compromise, we're told.
Since no hot piece of infosec action exists without a name these days, the paper, written by Hanan Beer of North-Bit, dubs the implementation of the Stagefright exploit Metaphor.
Stagefright is the name of a software library used by Android to parse videos and other media; it can be exploited by a booby-trapped message or webpage to execute malicious code on vulnerable devices.
on edit: The good news is further down in the article. Google has released a patch for it.