Good news/bad news about Google’s Android Stagefright patch

Android stagefright Bad news. Researchers at security firm Zimperium found a serious vulnerability in version 2.2 of Android and later, which could allow attackers to hijack control just by sending an MMS message with a maliciously-crafted movie file. The researchers informed Google of the problem in April, and made their findings public in July.

Good news. With the news of the security hole now public, Google and Samsung woke up to the threat, and announced that they would be regularly sending out security updates in future, to better protect millions of users. A fix for Stagefright was released.

Google's Stagefright patch

Bad news. Seven days after Google released the security patch, researchers at Exodus Intelligence revealed that the fix didn’t actually work properly, and that they had managed to create a boobytrapped MP4 file that bypassed Google’s protection and crash devices.

Sign up to our free newsletter.
Security news, advice, and tips.

Oh dear.

In the aftermath of Stagefright being disclosed, it seemed that Google was grabbing the opportunity to do something more positive security-wise, and make greater efforts (with other manufacturers) to get security updates onto the devices of Android owners.

However, it seems their latest security update simply doesn’t work as advertised.

Exodus Intelligence doesn’t mince its words:

Google employs a tremendously large security staff, so much so that many members dedicate time to audit other vendor’s software and hold them accountable to provide a code fix within a deadline period. If Google cannot demonstrate the ability to successfully remedy a disclosed vulnerability affecting their own customers then what hope do the rest of us have?

Come on Google, sort it out. And maybe spend a little less time poking holes in other people’s products, if you haven’t got your own house in order.

Don’t forget, the Stagefright flaw is estimated to have put some 950 million Android users at risk.

Further reading: Here’s what Google thinks of Android security, 2011-present.

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

2 comments on “Good news/bad news about Google’s Android Stagefright patch”

  1. Coyote

    "The researchers informed Google of the problem in April, and made their findings public in July."

    The irony is incredibly amusing. Let's do the maths:

    April is month 4.
    July is month 7.
    August is month 8.
    A month is ~30 days which means three months is ~90 days.

    We can all agree there. So, August - April is 4 months * 30 days = 120 days. 120 days - 90 days = 30 days over the time frame Google gave other organisations before releasing POC code. And whether or not the researchers released the data in July (therefore three months = 90 days) is mostly immaterial: the fix was only released when? This month (8)? But they were notified in April(4)! And the fix already has been shown to be broken. So not only are they over the 90 days, they are in the following month (don't know when in April but we're already half way through August), and even if it was the end of April, Google still doesn't have a properly working patch here.

    It is known that Google is hypocritical but this is a rather amusing example of it. Keep it up Google. We know that as long as you do everything your own way then everything will be better; you constantly prove it including here.

  2. David L

    Hi all,

    There are multiple avenues that Google needs to fix on this issue alone. Because it is not just the mms in messaging apps that can be exploited. File managers are vulnerable as well as video ads in browsers (Except Firefox mobile). There are other settings to help mitigate these,and ASLR can be bypassed,contrary to Ludwigs assertions.

    And not enough is being written about Certifi-gate. This one CAN be initiated with an SMS message. Yes,sms can be used for Certifi-gate. Only Team Viewer has patched their app. But if it is factory installed,then a patch has to come by the usual crappy update methods. There are multiple other remote tools being used,and even the updated apps are no sure way to mitigate,as an attacker can just use the older certificate. And then there are several other vulns revealed from Defcon and Usenix conferences. Google knew about ALL THESE months ago,hence their new update policy,or should I say,"face saving stratagem" because Android for work,will surely take a major hit, as ISOs know about ALL this crap.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.