The Hacker News Logo
Subscribe to Newsletter

Incomplete 'Stagefright' Security Patch Leaves Android Vulnerable to Text Hack

how-to-hack-android-phone
Wanna hack someone's Android smartphone by sending just an MMS message?

Yes, you can, because Google's patch for the Stagefright vulnerability in hundreds of Millions of Android devices is BUGGY.

Last week, Google issued an official patch for Stagefright vulnerability that affects 95 percent of Android devices running version 2.2 to version 5.1 of the operating system, an estimated 950 Million Android devices in use worldwide.

But, the patch is so flawed that hackers can still exploit the Stagefright vulnerability (CVE-2015-3824) anyways.
"The [original] patch is four lines of code and was (presumably) reviewed by Google engineers prior to shipping," researchers at Exodus Intelligence wrote in a blog post published Thursday. "The public at large believes the current patch protects them when it, in fact, does not."

Buggy Patch Issued by Google


The patch doesn't fix the vulnerability, allowing booby-trapped MP4 videos that supplied variables with 64-bit lengths to overflow the buffer and crash the smartphone when trying to open that multimedia message.

The firm notified Google of the issue on August 7th, two days after their Stagefright presentation at the Black Hat conference, but it didn’t receive any reply from the company regarding their release of an updated fix.

Therefore, the firm released code showing how to crash the smartphone exploiting Stagefright vulnerability because the search giant is still "distributing the faulty patch to Android devices via over-the-air updates."

The flawed patch has been assigned the vulnerability identifier CVE-2015-3864, according to the Exodus researchers, but at the moment it is hard to say when a right fix for the loophole will be available.
"Google employs a tremendously large security staff, so much so that many members dedicate time to audit other vendor's software," but if it can't "demonstrate the ability to successfully remedy a disclosed vulnerability affecting their own customers then what hope do the rest of us have?," the Exodus researchers wrote.
When reached out for comment, a Google spokesperson confirmed the findings and said the company had distributed the second patch to its OEM partners, however, its own Nexus 4/5/6/7/9/10 and Nexus Player will receive the patch as a part of its September patch update.

So, in order to get rid of this problem, you need to keep an eye for this new patch to fix the old flawed-patch.

Have something to say about this article? Comment below or share it with us on Facebook, Twitter or our LinkedIn Group.
SHARE
Comments
Latest Stories
Best Deals

Newsletter — Subscribe for Free

Join over 500,000 information security professionals — Get the best of our cyber security coverage delivered to your inbox every morning.