Android Lollipop build LMY48I Stagefright patch for Nexus 6, Nexus 5 and multiple Samsung smartphones including Galaxy S6 and S6 Edge being rolled out

As stated last week by their spokesperson in an emailed reply to Techworm, Google and Android has started rolling out a patch for the dreaded Stagefright vulnerability.

The update called Android Lollipop Build LMY48I is being rolled out for users on Sprint in United States and multiple Samsung smartphone According to Sprint update documents, the Google Nexus 6 and Google Nexus 5 should be receiving an update today while Samsung is rolling out OTA updates multiple devices given below.

The Samsung Galaxy S6, S6 Edge, Galaxy S5 and Note Edge are all receiving patches today, and you can find the update documents linked below:

• Samsung Galaxy S6 – G920PVPU2BOGA
• Samsung Galaxy S6 Edge – G925PVPU2BOGA
• Samsung Galaxy S5 – G900PVPU3BOG1
• Samsung Galaxy Note Edge – N915PVPU4COG1

The Stagefright is a frightening vulnerability which can be exploited by cyber criminals to take over an Android smartphone by sending a specially crafted multimedia message or a Google Hangout chat.

Joshua Drake from Zimperium Mobile Security discovered six + one critical vulnerabilities in the native media playback engine called  Stagefright. He called this weaknesses ‘Mother of all Android Vulnerabilities’.

Drake said that the vulnerabilities can be exploited by sending a single multimedia text message to an unpatched Android smartphone. While the exploit is deadly, in some cases, where phones parse the attack code prior to the message being opened, the exploits are silent and the user would have little chance of defending their data.

Stagefright is a native media playback tool used by Android and all these weaknesses reside in it. Drake states that they are all “remote code execution” bugs, allowing malicious hackers to infiltrate devices and exfiltrate private data.

Drake will give the full disclosure along with Proof of Concept at Def Con on 6th August. He also stated that a total of seven vulnerabilities had been sent to Google by 9th April, 2015.

It seems Google is trying to rollout the patches before Drake makes his Full Disclosure and PoC public at the DefCon on 6th August. Samsung smartphones and US Sprint customers should be receiving the update any moment now.

It is assumed that the above build update is for Android Lollipop going by the Sprint’s version history webpage. However there is still no word Google about the patch being issued to for other Android versions and major manufacturers like HTC, LG, Huawei, etc.

We are again contacting the Google spokesperson for their comments on when the other Android version as well as manufacturers will start receiving the patch for onward transmission to the end users like us.

To check for the update manually, head to Settings>System update>Update now.