Skip to main content

Even after security patch, Stagefright still likely poses a threat

Google and several of its manufacturer partners rushed to fix a vulnerability found within Android which could see malware installed through simply receiving an MMS message. Dubbed Stagefright, it was described as the worst vulnerability to be found since the dawn of the new Mobile OS era. According to one security firm, sadly, the patches being released by a number of Android OEMs aren’t enough to fully fix the vulnerability.

The initial fix was simple, and consisted of just four lines of changed code, according to Exodus Intelligence. But the security firm stated that it had worries about the patch even before it actually landed on devices. Since the code wasn’t shipped, it couldn’t verify its suspicions. Now that the patch is available for a number of smartphones, Exodus states that its concerns were on the money.

By creating an MP4 file, one of Exodus’ researchers, Jordan Gruskovnjak was able to bypass the patch successfully meaning that if he can do it, someone with the right knowledge, skill and desire could do the same. Your phone, even with the security update, is still vulnerable to an attack.

After the festivities concluded and the supposedly patched firmware was released to the public, Jordan proceeded to investigate whether his assumptions regarding its fallibility were well founded. They were.

Despite Exodus Intel having notified Google of the flaw in its patch on August 7th, the company is still rolling out the fault patch. Only this morning OnePlus released a security ‘fix’ for its OnePlus One running Oxygen OS while Sprint rolled out the patch for its HTC One users.

Another concerning factor is that currently, Zimperium’s Stagefright Detector app is unaware of the hole found in the patch. Thankfully, the two companies (Exodus and Zimperium) are working together to ensure that the app isn’t falsely giving users confidence. Let’s just be thankful Google has now agreed to monthly security updates.

FTC: We use income earning auto affiliate links. More.

You’re reading 9to5Google — experts who break news about Google and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Google on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel