So as it turns out, the Stagefright vulnerability discovered in Android just won’t die. A group of security researchers called Exodus Intelligence have published evidence that the patch still being pushed out in current over the air upgrades may not be sufficient to prevent triggering the fault. When the original Stagefright vulnerability was reported to Google in April a patch was created and pushed to devices, but there appears to be a severe problem with it. The 4 line patch is faulty. The Exodus Intelligence researchers have publicly published the vulnerability, claiming that Google was made aware of the situation over 120 days ago. Google follows a self-imposed 90 day full disclosure deadline, where they will make public security vulnerabilities within the aforementioned timeline. Since, as Exodus Intelligence alleges, Google failed to adhere to that standard they have made the information public themselves.
It is estimated that the flaw could potentially affect an estimated 950 million Google customers. That is a huge number of devices. According to Google “currently over 90% of Android devices have a technology called ASLR enabled, which protects users from this issue. We’ve already sent the fix to our partners to protect users, and Nexus 4/5/6/7/9/10 and Nexus Player will get the OTA update in the September monthly security update.” It is reassuring that Google is moving quickly to secure the affected devices, but as is often the case with Android it is up to the hardware manufacturers and carriers to make the fix available to their devices.
The original Stagefright vulnerability was discovered in July by security company Zimperium. They released information that a bug lived deep in the Android OS that would allow a malicious party to cause havoc. The most widely reported hypothetical method would be by sending a compromised video via MMS but any MP4 video embedded in apps or web pages could also potentially put the device at risk. The exploit would take advantage of the libStageFright mechanism as its avenue of attack when certain MMS applications like Google Hangouts would process the videos automatically so they could be played upon opening. This vulnerability was present in devices dating back to Android 2.2 Froyo leaving hundreds of millions of devices possibly at risk.