Patch For Android Stagefright Exploit Might Not Be So Effective After All

Considering that Android is installed on around eight out 10 smartphones around the world, it was pretty scary to find out about Stagefright, a vulnerability that's present on almost all of them. Even more frightening is that in many cases, the exploit could be triggered with a simple text message. In theory, an attacker could text your handset while you're sleeping, take control of your phone, and wipe any trace of something nefarious taking place so that you'd never be the wiser.

That got the attention of Google, which patched the MMS exploit and sent the code to wireless carriers. One by one, Android handsets began receiving over-the-air security updates, and just last night, I received a notification from HTC that there was an update available for my One (M7), one that would eradicate Stagefright. Collectively, we began to exhale and go about our business without the worry that we're sitting ducks.

Google Nexus 5

Well, there might still be reason to worry. Even though Google wrote a series of patches to deal with Stagefright, a security researcher with Exodus Intelligence was still able to exploit Android phones by crafting an MP4 to bypass the protections Google put in place.

Exodus said it disclosed to Google that its patch was faulty on August 7, the same day as the Black Hat conference, but hadn't been told when a revised fix might be available. However, it looks like Google is aiming for September.

"We’ve already sent the fix to our partners to protect users, and Nexus 4/5/6/7/9/10 and Nexus Player will get the OTA update in the September monthly security update," a Google spokesperson told security outfit Threatpost.

Stagefright affects Android devices dating back to Android 2.2. On the plus side, newer builds have built-in protection like ASLR (Address Space Layout Randomization) that make it difficult for Stagefright to run on a single piece of code.