Bad news. Researchers at security firm Zimperium found a serious vulnerability in version 2.2 of Android and later, which could allow attackers to hijack control just by sending an MMS message with a maliciously-crafted movie file. The researchers informed Google of the problem in April, and made their findings public in July.
Good news. With the news of the security hole now public, Google and Samsung woke up to the threat, and announced that they would be regularly sending out security updates in future, to better protect millions of users. A fix for Stagefright was released.
Bad news. Seven days after Google released the security patch, researchers at Exodus Intelligence revealed that the fix didn’t actually work properly, and that they had managed to create a boobytrapped MP4 file that bypassed Google’s protection and crash devices.
In the aftermath of Stagefright being disclosed, it seemed that Google was grabbing the opportunity to do something more positive security-wise, and make greater efforts (with other manufacturers) to get security updates onto the devices of Android owners.
However, it seems their latest security update simply doesn’t work as advertised.
Exodus Intelligence doesn’t mince its words:
Google employs a tremendously large security staff, so much so that many members dedicate time to audit other vendor’s software and hold them accountable to provide a code fix within a deadline period. If Google cannot demonstrate the ability to successfully remedy a disclosed vulnerability affecting their own customers then what hope do the rest of us have?
Come on Google, sort it out. And maybe spend a little less time poking holes in other people’s products, if you haven’t got your own house in order.
Don’t forget, the Stagefright flaw is estimated to have put some 950 million Android users at risk.
Further reading: Here’s what Google thinks of Android security, 2011-present.