Android's Stagefright Flaw Returns, Google Issues Patch | eWeek

Android’s Stagefright Flaw Returns, Google Issues Patch

Android security
Aug 15, 2015
2 minute read
eWeek Inhalte und Produktempfehlungen sind redaktionell unabhängig. Wir können Geld verdienen, wenn Sie auf Links zu unseren Partnern klicken. Mehr erfahren

Among the big stories to break at the Black Hat USA conference this year was the Android security vulnerabilities in the libstagefright media framework, impacting 950 million users. Google claimed last week that it had fixed the Stagefright flaws, but new research from security firm Exodus Intelligence now alleges otherwise.

“The issue is still exploitable, despite the patches currently being shipped to Android devices,” Exodus Intelligence wrote in a blog post on Aug. 13. “As of this morning, Google has notified us they have allocated the CVE [Common Vulnerabilities and Exposures] identifier CVE-2015-3864 to our report.”

As of Aug. 14, Google has actually made an open-source patch available for the CVE-2015-3864 issue. Although Google does not debate the fact that the issue exists, the company claims that the risk to users is not all that large.

“Currently over 90 percent of Android devices have a technology called ASLR (Address Space Layout Randomization) enabled, which protects users from this issue,” Google wrote in a statement to eWEEK. “We’ve already sent the fix to our partners to protect users, and Nexus 4/5/6/7/9/10 and Nexus Player will get the OTA (Over the Air) update in the September monthly security update.”

During the Black Hat event, Google’s Android chief Adrian Ludwig announced a more aggressive, regular update schedule for Android devices. Ludwig also explained in great detail during his session the multiple layers of security in the Android ecosystem that prevent the exploitation of Stagefright-type flaws. Those layers include the Google Play app store itself, which scans apps for malicious code.

For those users who are running non-Google Play apps, there is also the Google Safety Net, which is an intrusion prevention system for a billion Android devices. Additionally, Google has the Verify Apps system, which is effectively an antivirus system for all forms of apps that run on Android.

Perhaps most importantly though, Ludwig emphasized that apps don’t run on Android unless a user enables the app to do so.

Zimperium zLabs Vice President of Platform Research and Exploitation Joshua Drake, the original researcher who first disclosed the Stagefright issues, is not surprised at the new disclosure from Exodus Intelligence.

“I don’t agree with their methods, but if what they say is true about reporting it 120 days ago, I support them in going full-disclosure,” Drake told eWEEK. “I’m certainly not surprised that there are still bugs in the code.”

Exodus Intelligence and Zimperium are now working together to help users detect if they are potentially at risk. Zimperium has an app called Stagefright detector that alerts users if their version of Android is not patched for Stagefright related flaws.

“They [Zimperium] have been very responsive (more so than the affected vendor) and we plan to alert them of similar flaws we’ve recently discovered,” Exodus Intelligence stated.

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

eWeek Logo

eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site's focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

Eigentum von TechnologyAdvice. © 2026 TechnologyAdvice. Alle Rechte vorbehalten

Werbetreibenden-Offenlegung: Einige der auf dieser Website erscheinenden Produkte stammen von Unternehmen, von denen TechnologyAdvice eine Vergütung erhält. Diese Vergütung kann beeinflussen, wie und wo Produkte auf dieser Website erscheinen, einschließlich beispielsweise der Reihenfolge, in der sie erscheinen. TechnologyAdvice schließt nicht alle Unternehmen oder alle auf dem Marktplatz verfügbaren Produkttypen ein.