Android's Stagefright Flaw Returns, Google Issues Patch

Google last week claimed it had fixed the Stagefright flaw, but it is back. Or did it ever actually really get fixed in the first place?

Android security

Among the big stories to break at the Black Hat USA conference this year was the Android security vulnerabilities in the libstagefright media framework, impacting 950 million users. Google claimed last week that it had fixed the Stagefright flaws, but new research from security firm Exodus Intelligence now alleges otherwise.

"The issue is still exploitable, despite the patches currently being shipped to Android devices," Exodus Intelligence wrote in a blog post on Aug. 13. "As of this morning, Google has notified us they have allocated the CVE [Common Vulnerabilities and Exposures] identifier CVE-2015-3864 to our report."

As of Aug. 14, Google has actually made an open-source patch available for the CVE-2015-3864 issue. Although Google does not debate the fact that the issue exists, the company claims that the risk to users is not all that large.

"Currently over 90 percent of Android devices have a technology called ASLR (Address Space Layout Randomization) enabled, which protects users from this issue," Google wrote in a statement to eWEEK. "We've already sent the fix to our partners to protect users, and Nexus 4/5/6/7/9/10 and Nexus Player will get the OTA (Over the Air) update in the September monthly security update."

During the Black Hat event, Google's Android chief Adrian Ludwig announced a more aggressive, regular update schedule for Android devices. Ludwig also explained in great detail during his session the multiple layers of security in the Android ecosystem that prevent the exploitation of Stagefright-type flaws. Those layers include the Google Play app store itself, which scans apps for malicious code.

For those users who are running non-Google Play apps, there is also the Google Safety Net, which is an intrusion prevention system for a billion Android devices. Additionally, Google has the Verify Apps system, which is effectively an antivirus system for all forms of apps that run on Android.

Perhaps most importantly though, Ludwig emphasized that apps don't run on Android unless a user enables the app to do so.

Zimperium zLabs Vice President of Platform Research and Exploitation Joshua Drake, the original researcher who first disclosed the Stagefright issues, is not surprised at the new disclosure from Exodus Intelligence.

"I don't agree with their methods, but if what they say is true about reporting it 120 days ago, I support them in going full-disclosure," Drake told eWEEK. "I'm certainly not surprised that there are still bugs in the code."

Exodus Intelligence and Zimperium are now working together to help users detect if they are potentially at risk. Zimperium has an app called Stagefright detector that alerts users if their version of Android is not patched for Stagefright related flaws.

"They [Zimperium] have been very responsive (more so than the affected vendor) and we plan to alert them of similar flaws we've recently discovered," Exodus Intelligence stated.

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.