FYI.

This story is over 5 years old.

Tech

Android's Stagefright Patch Not Up to Scratch, Say Researchers

Security researchers claim Google's original patch for the Stagefright bugs affecting Android users still leaves devices vulnerable.

Android users were up in arms last month at the news of the Stagefright bug: a serious vulnerability that could have affected up to 950 million devices. In response, Google released a patch, and the fix has been making its way to users.

But that patch wasn't enough, and Google has now had to push out another.

Exodus Intelligence, a cybersecurity research company, took to its blog yesterday to break the news. Researcher Jordan Gruskovnjak had suspected that the proposed patch wasn't up to scratch, and after it was released he was able to test his theory out.

Advertisement

The original vulnerability was in Android's code library that handles multimedia files; researchers found they could use Multimedia Message Service (MMS) to take advantage of the bugs.

While the fix released by Google did address some of these problems, it missed one which allows an attacker to craft MP4 files to attack the device. When Gruskovnjak made an MP4 file to get around the patch, he was met with a crash report.

"The public at large believes the current patch protects them when in fact it does not."

Exodus told Google about the problem on August 7, but said it had not received a reply about when a new patch would be released and so decided to release the information publicly.

"The public at large believes the current patch protects them when in fact it does not," Exodus' blog reads.

Although the patch workaround hasn't been used in an offensive exploit yet, both Gruskovnjak from Exodus and Joshua Drake, the Zimperium researcher who found Stagefright, think it's possible.

"There has been an inordinate amount of attention drawn to the bug–we believe we are likely not the only ones to have noticed it is flawed. Others may have malicious intentions," the Exodus blog post continues.

PC World reported on Thursday that Google had sent a new patch out. Google did not immediately respond to requests for comment.

This discovery has also had a knock-on effect on Stagefright Detector, an app made by Zimperium, the company who originally discovered the vulnerability, which allows users to check if their device is at risk.

Exodus said it is working with Zimperium to ensure that the app also exposes this latest vulnerability.

But of course, there is still one fundamental problem with Android: the patch might take ages to reach customers' phones, or possibly never get to them at all.

Update August 14: In an emailed comment, Google said, "We've already sent the fix to our partners to protect users, and Nexus 4/5/6/7/9/10 and Nexus Player will get the OTA update in the September monthly security update."