Google's Android Stagefright Security Patch Is Flawed, Says Researcher

Android's Stagefright vulnerability has received its share of concerns and patch release announcements from various Android OEM manufacturers, including a new monthly security update cycle. The problem however seems to still be around even after Google released a patch this month for its Nexus devices that was claimed to fix the Stagefright bug.

Jordan Gruskovnjak, a security researcher from Exodus Intelligence has discovered 'severe' problems with patch rolling out to Nexus devices. Jordan also claimed that the Stagefright Detector app released by Zimperium (the company that reported the issue initially) is unable to detect the flaw that remains after the patch, which just contains four lines of code.

"Despite our notification (and their confirmation), Google is still currently distributing the faulty patch to Android devices via OTA updates," notes Exodus Intelligence.

To recall, Stagefright is an open source media player and which is believed to be used on about 95 percent of Android devices, an estimated 950 million users. The vulnerability, if exploited, can let attackers take control of an Android device by sending a specially crafted media file delivered by an MMS message.

"Along with the initial bug report, a set of patches to stagefright flaws were supplied and accepted by Google. One of these patches, addressing CVE-2015-3824 (aka Google Stagefright 'tx3g' MP4 Atom Integer Overflow) was quite simple, consisting of merely 4 lines of changed code," notes Exodus Intelligence official blog.

Jordan tested out a Nexus 5 with an updated firmware flashed to it and was greeted with a crash upon testing. He was able to test the flaw through a specially-crafted mp4 file that bypassed the patch.

The security research company says that it notified Google, and was told the Mountain View company has allocated the CVE identifier CVE-2015-3864 to its report. The company claims that it had to make the issue public with their findings to notify everybody about the issue.

Google confirmed the findings to The Verge, and added that a second patch was already being pushed out. "We've already sent the fix to our partners to protect users, and Nexus 4/5/6/7/9/10 and Nexus Player will get the OTA update in the September monthly security update," said Google in a statement.

The company however did not comment when non-Nexus devices can expect to receive the patch.

Last week, Google and Samsung announced they will offer a monthly security patch to their devices. LG and Motorola also joined to reveal Stagefright vulnerability patches.