Google’s Stagefright Patch Fails, 950M Android Devices Still at Risk

If you thought you had finally overcome Stagefright, the software vulnerability that afflicts Froyo and later versions of the Android mobile operating system, think again. The vulnerability, which could potentially allow hackers to gain remote access to an Android advice, was supposed to be addressed last week with a patch Google pushed out to the estimated 950 million devices running Android 2.2 and later.

The only problem is that the patch doesnEUt work, according to IT security firm Exodus Intelligence. The patch, dubbed CVE-2015-3824 by Google, consists of a mere four lines of code. It was created by Joshua Drake, a security researcher with mobile security firm Zimperium, who submitted it to Google when he discovered the Stagefright vulnerability in April. The company approved of his patch within 48 hours.

Suspicions Began Last Month

But researchers at Exodus began to suspect there were problems with the patch last month, the company said. EUAround July 31st, Exodus Intelligence security researcher Jordan Gruskovnjak noticed that there seemed to be a severe problem with the proposed patch,EU according to an Exodus blog post. EUAs the code was not yet shipped to Android devices, we had no ability to verify this authoritatively.EU

Since then, the patch has been widely distributed, giving Exodus the opportunity to examine the vulnerability more closely. And last week at the Black Hat security conference in Las Vegas, hundreds of the worldEUs security experts discussed the exploit at length.

EUAfter the festivities concluded and the supposedly patched firmware was released to the public, Jordan proceeded to investigate whether his assumptions regarding its fallibility were well founded,EU Exodus said. EUThey were.EU Gruskovnjak was able to create an MP4 capable of bypassing the Zimperium patch.

No Response from Google

Exodus said it notified Google of the issue on August 7, but has still not received...

Comments are closed.