The patch for Android's Stagefright vulnerability won't actually protect your phone, some security researchers say. According to Jordan Gruskovnjak and Aaron Portnoy of Exodus Intelligence, a malformed MP4 file can still create a buffer overflow, a vulnerability that could then be used to compromise 950 million Android phones.
The Exodus blog post walks through the vulnerability. A function in libStagefright reads two values from an MP4 file's header, chunk_size and chunk_type, as 32-bit integers. If the header returns a value of 0x01 for chunk_size, then a 64-bit value is read from the MP4 instead. According to the researchers, if an MP4 is crafted with a chunk size of 0x1fffffff (or any other value outside the bounds of a 32-bit integer), a flaw in the Stagefright patch's boundary-checking code means it's still possible to cause a buffer overflow.
Exodus says it notified Google of its findings on August 7. The company asked Google for a timeframe for another fix, but has not received a response. Since the Stagefright vulnerabilities were originally reported to Google in April, and it's been more than 90 days since that original disclosure, Exodus has decided to make the results of its research public. For now, even patched Android devices appear to remain vulnerable to the bug.