Stagefright patch fails, Android still vulnerable

Millions of Android phones are still vulnerable to the Stagefright bug, after Google issued a flawed security patch which failed to fix the issue.

In case you haven't heard of Stagefright, it's a security vulnerability located at the very heart of the Android operating system, which allows a person to take over a victim’s phone by simply sending an MMS or a video message.

The attacker can then gain access to sensitive data, including text logs and picture messages.

Zimperium Labs’ researcher Joshua Drake first uncovered the vulnerability at the Black Hat Conference in Las Vegas, when it was unveiled that the vulnerability affects Android devices from version 2.2 to 5.1.

In response Google, Samsung and LG rolled out security patches to fix the flaw and promised to bolster the security of Android with monthly fixes.

However, Jordan Gruskovnjak, a security expert at Exodus, has now released a report indicating that the four-line code included in the Google patch is not enough to fix the problem.

The company says the patch handles 32 and 64-bit values in a different matter, which is why Android users could still be victims to such an attack.

Gruskovnjak crafted a malicious MP4 file that was able to crash an Android Nexus 5 device in the same way as Stagefright.

Exodus said that it first contacted Google over 120 days ago but did not initially get a response.

"There has been an inordinate amount of attention drawn to the bug. We believe we are not likely to be the only ones to have noticed it is flawed. Others may have malicious intentions," the report warned.

Google has since announced an open source security fix for Android devices in another attempt to plug the Stagefright vulnerability.

"Currently over 90 percent of Android devices have a technology called ASLR enabled, which protects users from this issue," Google told V3.

"We've already sent the fix to our partners to protect users, and Nexus 4, 5, 6, 7, 9, 10 and Nexus Player will get the OTA update in the September monthly security update."