Google and several of its manufacturer partners rushed to fix a vulnerability found within Android which could see malware installed through simply receiving an MMS message. Dubbed Stagefright, it was described as the worst vulnerability to be found since the dawn of the new Mobile OS era. According to one security firm, sadly, the patches being released by a number of Android OEMs aren’t enough to fully fix the vulnerability.
The initial fix was simple, and consisted of just four lines of changed code, according to Exodus Intelligence. But the security firm stated that it had worries about the patch even before it actually landed on devices. Since the code wasn’t shipped, it couldn’t verify its suspicions. Now that the patch is available for a number of smartphones, Exodus states that its concerns were on the money.
By creating an MP4 file, one of Exodus’ researchers, Jordan Gruskovnjak was able to bypass the patch successfully meaning that if he can do it, someone with the right knowledge, skill and desire could do the same. Your phone, even with the security update, is still vulnerable to an attack.
After the festivities concluded and the supposedly patched firmware was released to the public, Jordan proceeded to investigate whether his assumptions regarding its fallibility were well founded. They were.
Despite Exodus Intel having notified Google of the flaw in its patch on August 7th, the company is still rolling out the fault patch. Only this morning OnePlus released a security ‘fix’ for its OnePlus One running Oxygen OS while Sprint rolled out the patch for its HTC One users.
Another concerning factor is that currently, Zimperium’s Stagefright Detector app is unaware of the hole found in the patch. Thankfully, the two companies (Exodus and Zimperium) are working together to ensure that the app isn’t falsely giving users confidence. Let’s just be thankful Google has now agreed to monthly security updates.