A few days ago, a security researcher revealed that up to 950 million Android devices are susceptible to a hack that takes advantage of one of the platform’s messaging features. Since then, Google and various OEMs confirmed they’re releasing, or will release, fixes for Stagefright – which is what the security issue has been named.
Google recently claimed to have patched the bug, but it appears that Google’s fix can be bypassed so the Stagefright bug can still be used by hackers.
According to the BBC, security company Exodus Intelligence says the update that Google released could give people a “false sense of security.” The company has been able to bypass the patch easily, and the vulnerability is still present.
“The public at large believes the current patch protects them when it in fact does not,” Exodus wrote on its blog.
Meanwhile, Google says that its fix applies to more than Nexus devices and that 90% of devices should be safe from Stagefright. Google told the BBC that Android users are protected by a security feature called “address space layout randomization (ASLR),” which should make the hacker’s job a lot harder.
“The patch is 4 lines of code and was (presumably) reviewed by Google engineers prior to shipping,” Exodus Intelligence added.
“If Google cannot demonstrate the ability to successfully remedy a disclosed vulnerability affecting their own customers then what hope do the rest of us have?”
The security company further noted that Google knew about the flaw for more than 120 days without fixing it. It looks like it’s indeed as difficult as expected for Google to patch this major security flaw, and it’ll take more than a quick update to get the job done.