Google's broken Stagefright patch leaves Android users at risk

Millions of Android users remain at risk of being attacked through one of the worst vulnerabilities to hit Google's mobile operating system due to a flawed patch, researchers say.

Last week, Google released an update to Android that intended to fix the 'Stagefright' flaw.

The vulnerability allows attackers to execute arbitrary malicious code on devices through a specially crafted multimedia message.

No user interaction is needed, and attackers can set malware to delete messages before they are even seen by the victim.

The bug affects around 950 million Android devices, and exists within the Stagefright media library - used for timing-sensitive applications - which researchers found was vulnerable to memory corruption.

Android version 2.2 and newer versions are vulnerable, with devices prior to the "Jelly Bean" release most at risk due to inadequate exploit mitigations.

But security researchers at Exodus Intelligence today said the patch released by Google was flawed enough that attackers can continue to exploit the hole -  despite Google having had the patch in the works since April this year.

"The patch is four lines of code and was (presumably) reviewed by Google engineers prior to shipping. The public at large believes the current patch protects them when it in fact does not," they wrote.

The researchers said they had noted "severe" issues with the patch in late July, but weren't able to verify as it hadn't yet been shipped.

After the "supposedly patched firmware" was released to the public last week, the researchers said they tested their assumptions and found they had been correct.

"With the updated firmware flashed to a Nexus 5 device, [Exodus Intelligence security researcher Jordan Gruskovnjak] crafted an MP4 to bypass the patch and was greeted with [a] crash upon testing," they wrote.

The patch closed some but not all exploits in the vulnerability - malicious MP4 videos that supplied variables with 64-bit lengths could overflow the buffer, the researchers found.

Google had been notified of the problem and has allocated the CVE identifier CVE-2015-3864 to the issue.

A Google spokesperson said it had distributed the new patch to its OEM partners, and its own Nexus devices will receive the fix as part of its September patch update.