Android’s Stagefright vulnerability just won’t exit stage left. According to Exodus Intelligence researchers, even after the patch issued by Google, access to Android devices is still available because the four-line patch is faulty.
They were able to trigger the fault that still affects over 950 million Android devices. The issue with the patch was reported to Google, which open sourced the patch this morning.
Currently over 90% of Android devices have a technology called ASLR enabled, which protects users from this issue. Google has reportedly already sent the fix to their partners to protect users, and Nexus 4/5/6/7/9/10 and Nexus Player will get the OTA update in the September monthly security update.
Still no word on when the update will be available from other phone manufacturers. Hopefully they’ll be avilable for phones and tablets in the near future.
Google was only given six days notice from Exodus when the bug was found. Researchers usually give companies 30 days notice of security issues. This gives both parties adequate time to work on a patch and share information. The researchers explained in a post that they decided to forgo the usual 30 days because the original issue was reported over 120 days ago and Google was still issuing a faulty patch. The amount of attention surrounding the original vulnerability also played a hand in their decision to give notice in this way.
Keep looking out for a new patch to fix the old patch …