Security company: Android patch doesn’t protect against Stagefright bug

Google recently started rolling out a patch to protect against the Stagefright bug in Android, but security company Exodus says the software isn’t enough. The bug would still be exploitable. Google says it is working on a second patch.

In a blog post, Exodus states that it was able to hack a Nexus 5 that had the patch, which incidentally consists of four lines of new code, via the Stagefright bug. On its blog, Exodus provides the technical details for bypassing the security, thus demonstrating that the bug fix that Google previously rolled out is not enough to fix the Android flaw.

Google has already responded to the publication and said in a statement published by The Verge that it is aware of the problems with the patch. A second bug fix has already been released, which other Android manufacturers now have. It is therefore likely that the bug will be fixed in the long term. Google’s devices in the Nexus line will receive the new patch in mid-September.

Other manufacturers have also promised to fix the Stagefright bug. It is unclear whether they will immediately put the new fix on their devices, or whether this will only come in a second patch round. Stagefright is the name of a video framework in Android and it appears to crack with a rogue video. As a result, malicious parties can take over the smartphone. Since the bug has been in the operating system since Android 2.2, nearly a billion devices are vulnerable.