The patch process for Android's Stagefright vulnerability hasn't gone quite as smoothly as Google hoped. Just eight days after Google, manufacturers, and carriers rushed out a fix for Stagefright, researchers at Exodus Intelligence are saying there's a problem with one of the patches, and phones could still be vulnerable under the right circumstances. After the patch was deployed, Exodus was able to trigger a system crash in one phone by attacking it with an appropriately encoded mp4 file over MMS. It's unclear whether the bug could be exploited for code execution as well as system shutdown.

Reached for comment, Google confirmed the findings, and said a second patch was already being sent out. "We’ve already sent the fix to our partners to protect users, and Nexus 4/5/6/7/9/10 and Nexus Player will get the OTA update in the September monthly security update," the company said in a statement. It's unclear when non-Nexus phones will get the new patch, but it's likely to be folded into the monthly rolling patch systems established in the wake of Stagefright. Google also emphasized mitigation systems like Address Space Layout Randomization, which make exploiting such a bug a persistent challenge on Android devices.

"We believe we are likely not the only ones to have noticed it is flawed."

Exodus' announcement is an unorthodox way to disclose the bug, since Google has had less than a week to develop and deploy a patch for the bug, far short of the standard 90-day quiet period. But Exodus defended the disclosure in a blog post, saying they considered the flaw covered as part of the initial vulnerability disclosure, and couldn't keep the bug secret in light of the broad impact and intense public awareness of Stagefright. "There has been an inordinate amount of attention drawn to the bug," Exodus said. "We believe we are likely not the only ones to have noticed it is flawed. Others may have malicious intentions."