The first patch that Google released to fix the high profile Stagefright vulnerability in Android was found to be insufficient, one security researcher found, leading to another update being issued.
Google issues second Stagefright fix
Last week, a security expert called Jordan Gruskovnjak discovered a version of the Stagefright patch — which allows a malformed MP4 file to cause a system error — did not fully fix the issue, and he was able to bypass the fix with a new method. Google was apparently notified on August 7th and has already started to distribute another update.
“We’ve already sent the fix to our partners to protect users, and Nexus 4/5/6/7/9/10 and Nexus Player will get the OTA update in the September monthly security update”, a Google spokesperson said.
Mobile phone companies in the US at least have also chipped in to block MMS messages that contain exploitable download files.
First revealed to the public in July, Stagefright relies on a bug in the way Android handles multimedia. It allows an attacker to create a malicious MMS message that executes some code when received by or opened on an Android device.
“Attackers only need your mobile number, using which they can remotely execute code via a specially crafted media file delivered via MMS”, Stagefright’s discoverers explained. “A fully weaponized successful attack could even delete the message before you see it. You will only see the notification”.
Google last week announced plans to issue monthly security updates for Nexus users. LG and Samsung have also committed to distribute those patches to their own devices as well.