AH 2015 A New Google LOGO-138

Google Patches Stagefright 2.0 Exploit for Nexus Devices and AOSP

October 6, 2015 - Written By Tom Dawson

Over the summer, there was a big stink over what quickly became known simply as “Stagefright“. The exploit affected many different versions of Android and could take total control of someone’s Android device through an MMS media text message due to the way that Android handles such messages. This Stagefright exploit has mostly been fixed throughout the majority of devices from Google, HTC, LG, Samsung, Motorola and Sony but recently a new exploit reared its head, which predictably became known as ‘Stagefright 2.0’. This version of Stagefright revolved around audio files and worked in a similar way, but Google have apparently already fixed this as well.

According to reports, the October monthly security release update for the Nexus line of devices from Google includes patches for vulnerabilities in libFLAC, KeyStore, Media Player Framework, Android Run time, Mediaserver, and the Secure Element Evaluation Kit parts of Android. These fixes have also made their way into the AOSP, so ROM builders that build from the open source repo – including CyanogenMod – should pick up these fixes over the next couple of days automatically, which is good news for the wider community. For those interested in checking, builds of Android later than LMY48T as well as any build of Android 6.0 Marshmallow built after October 1st (including the final release) will be fully patched against Stagefright in any form, Google explained recently.

For the majority of users, all of this is good news, but devices from Chinese manufacturers and indeed mid-range and low-end offerings from the likes of Sony, Samsung and LG have yet to be patched for Stagefright in any way. This would arguably leave a large portion of users that are unaware of such exploits wide open to exploits on the web. Considering the nature of Stagefright, only sites that succeed in convincing users to download software or giving up their phone number would succeed in getting to these unprotected users, but that’s hardly the point. With monthly security updates and a new version of Android on the horizon, we hope that these big security breaches are behind us, but manufacturers and carriers will continue to get in the way of Google’s fresh approach to updates.