Why you can trust us

Engadget has been testing and reviewing consumer tech since 2004. Our stories may include affiliate links; if you buy something through a link, we may earn a commission. Read more about how we evaluate products.

Fixing 'Stagefright' flaw on Android is harder than we thought

The Stagefright vulnerability for Android won't seem to want to go away. According to Exodus Intelligence researchers one of the patched issued by Google could still allow access to Android devices. The researchers told Engadget via email, "the summary is that the Stagefright vulnerability is still exploitable and the 4-line patch that was implemented is faulty. We have been able to trigger the fault that still affects over 950 million Android devices." The issue with the patch was reported to Google which open sourced the patch for the patch this morning.

Google told Engadget,"currently over 90% of Android devices have a technology called ASLR enabled, which protects users from this issue. We've already sent the fix to our partners to protect users, and Nexus 4/5/6/7/9/10 and Nexus Player will get the OTA update in the September monthly security update."

Of course, like with all things Android, outside of the Nexus line, it's a wait and see situation when it comes to updates from phone makers. Hopefully they'll be hitting phones and tablets in the near future. But with only six days notice, Exodus Intelligence didn't give Google or its partners much time to get the patch ready.

Traditionally, researchers give companies 30 days notice about a security issue. This gives both parties adequate time to work on a patch and share information. In the post about the patch issue, the researchers explained that it decided to forgo the usual 30 days because the original issue was reported over 120 days ago, Google was still issuing the faulty patch and the amount of attention the original vulnerability had attracted.

So keep on the lookout for this new patch to fix the old patch.