Connect with us

Hi, what are you looking for?



Android Stagefright Vulnerability Not Patched Properly by Google

A patch released by Google for one of the recently disclosed Stagefright vulnerabilities affecting the Android mobile operating system is flawed, researchers have warned.

A patch released by Google for one of the recently disclosed Stagefright vulnerabilities affecting the Android mobile operating system is flawed, researchers have warned.

Earlier this year, researchers at mobile security firm Zimperium identified several vulnerabilities in the Stagefright library used in Android (libstagefright) and other software such as Mozilla Firefox. The security holes affect all Android versions since 2.2, but releases prior to 4.1 Jelly Bean are the most exposed because Address Space Layout Randomization (ASLR) mitigations are not properly implemented.

When the issues were disclosed in late July, experts estimated that roughly 950 million Android devices were affected by remote code execution flaws, some of which could be exploited simply by sending an MMS message to the targeted device.

The Stagefright vulnerabilities have been assigned the following CVE identifiers: CVE-2015-1538, CVE-2015-1539, CVE-2015-3824, CVE-2015-3826, CVE-2015-3827, CVE-2015-3828 and CVE-2015-3829.

On August 5, Google started releasing over-the-air (OTA) security updates for Nexus 4,5,6,7,9,10 and Nexus Player devices to address most of these flaws. However, shortly after the search giant started distributing the patches, researchers at Exodus Intel confirmed their suspicion that the fix for an integer overflow triggered in libstagefright during MPEG4 tx3g data processing (CVE-2015-3824) was flawed.

The patch for this potential remote code execution vulnerability, consisting of only four changed lines of code, was provided to Google by Joshua Drake, the Zimperium researcher who uncovered the Stagefright flaws. Drake said the search giant accepted his patches within 48 hours after being submitted.

Google has confirmed that the fix for the integer overflow vulnerability does not work as intended and assigned the CVE-2015-3864 identifier to the new issue. However, as of August 13, the company was still pushing out the updates containing the buggy patch.

Advertisement. Scroll to continue reading.

The search giant says it has already provided a fix to its partners. The company intends to send out the new patch to Nexus 4,5,6,7,9,10 and Nexus Player devices with the September OTA updates.

“Google employs a tremendously large security staff, so much so that many members dedicate time to audit other vendor’s software and hold them accountable to provide a code fix within a deadline period. If Google cannot demonstrate the ability to successfully remedy a disclosed vulnerability affecting their own customers then what hope do the rest of us have?” Exodus Intel wrote in a blog post.

Several serious flaws have been found in Android over the past weeks. Earlier this month, researchers at IBM disclosed several serialization vulnerabilities that can be exploited by malicious apps to escalate privileges, allowing attackers to take control of devices.

The large number of vulnerabilities and the fact that it takes a lot of time for patches to reach devices due to the fragmentation of the ecosystem have made Android a tempting target for cybercriminals. Device manufacturers have started to acknowledging the importance of time sensitivity when it comes to addressing critical vulnerabilities, which is why Google, Samsung and other companies recently promised to provide regular security updates.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.