Researchers have found holes in the patch meant to fix a recent flaw that threatens hundreds of millions of Android phones.
"We believe we are likely not the only ones to have noticed it is flawed,” said security firm Exodus in a Thursday blog post. “Others may have malicious intentions.”
The “Stagefright” bug, uncovered in late July, let attackers hijack Android phones by sending a malware-laden video to any device via text message or Google Hangouts. In some cases, the recipient didn’t even need to open the message for hackers to remotely commandeer the device.
According to Zimperium, the research firm that found the vulnerability, Stagefright is among “the worst Android vulnerabilities discovered to date.”
The company estimated the issue affected roughly 95 percent, or 950 million, of all Android devices.
Before Stagefright had even been revealed publicly, Google was already moving quickly to issue updates that would address the issue. But within days of releasing the patches, security researchers at Exodus started noticing problems.
The firm said it could design videos to evade Google’s updates.
“The public at large believes the current patch protects them when it in fact does not,” Exodus said in a Thursday blog post.
The company went public because it says Google has ignored its outreach efforts and continued rolling out the flawed fixes.
“Google has not given us any indication of a timeline for correcting the faulty patch, despite our queries,” Exodus said.
Google told tech news site Engadget on Thursday that over 90 percent of Android devices were protected from Stagefright and that the remaining devices would soon receive the needed updates.
But Exodus is warning that if its researchers can discover flaws in the patch, so will others with malicious intentions.
“There has been an inordinate amount of attention drawn to the bug," the firm said.