Millions of Android users are still at risk from the Stagefright vulnerability after Google rolled out a flawed security patch, according to researchers at Exodus Intelligence.
Stagefright affects up to 95 percent of Android devices. It was uncovered on 27 July by researcher Joshua Drake of Zimperium Labs and revealed a flaw at the heart of Android systems.
The firm used the Black Hat security conference in Las Vegas to show how hackers using a malicious text message could gain control of a mobile phone and access sensitive data including text logs and picture messages.
In response Google, Samsung and LG rolled out security patches to fix the flaw and promised to bolster the security of Android with monthly fixes.
However, Jordan Gruskovnjak, a security expert at Exodus, has now released a report indicating that the four-line code included in the Google patch is not enough to fix the problem.
Exodus said that it found discrepancies between how the patch handles 32-bit and 64-bit values, and that Android users should still be wary of an attack.
Gruskovnjak crafted a malicious MP4 file that was able to crash an Android Nexus 5 device in the same way as Stagefright.
Exodus said that it first contacted Google over 120 days ago but did not initially get a response.
"There has been an inordinate amount of attention drawn to the bug. We believe we are not likely to be the only ones to have noticed it is flawed. Others may have malicious intentions," the report warned.
"Google employs a tremendously large security staff, so much so that many members dedicate time to audit other vendors' software and hold them accountable to provide a code fix within a deadline period.
"If Google cannot demonstrate the ability to successfully remedy a disclosed vulnerability affecting its own customers what hope do the rest of us have?"
Following the release of the findings, Exodus said that it is working alongside Zimperium Labs "to provide coverage for detection of this flaw through its Stagefright Detector app".
Google has since announced an open source security fix for Android devices in another attempt to plug the Stagefright vulnerability.
"Currently over 90 percent of Android devices have a technology called ASLR enabled, which protects users from this issue," Google told V3.
"We've already sent the fix to our partners to protect users, and Nexus 4, 5, 6, 7, 9, 10 and Nexus Player will get the OTA update in the September monthly security update."
Stagefright quickly became notorious for affecting up to 950 million Android devices running Android 2.2 to 5.1.
"These vulnerabilities are extremely dangerous because they do not require that the victim take any action to be exploited. Unlike spear phishing, where the victim needs to open a PDF file or a link sent by the attacker, this vulnerability can be triggered while you sleep," warned Zimperium at the time.
However, Google responded quickly by announcing security updates to partners while releasing them to the public via the Android Open Source Project at the same time.
Banking Trojan that 'wreaked havoc' in Europe and the US in 2014 may have absorbed NSA exploits to spread via network security flaws, not just phishing
Leaks in the run-up to Samsung Galaxy Note 8 launch pretty much gave it all away
Sonos Play 1 speakers cost £180, but customers could suffer if they don't agree changes to privacy policies
US government 'cyber czar' admits briefing against Kaspersky, but doesn't offer any firm evidence