Google and Android announced Wednesday that they started distributing a fix for the critical vulnerability that could have caused millions of phones to be infected by malware through a malformed text message.
The flaw resides in Android’s code library known as Stagefright, and was disclosed earlier last week, several months after security researchers privately disclosed the flaw to security engineers responsible for maintaining Google’s Android mobile operating system. Following the unscheduled public release, Google engineers have rushed to introduce new changes to the Android text message app. Engineers were able to mitigate the glaring threat by requiring users to click on videos before playing them.
Google began pushing out the updated text app among other security enhancements to Nexus devices first, and will be releasing them open-source later in the day, once full details on the vulnerability are disclosed.
The company already sent their patch to hardware partners, while both Sprint and Samsung have begun pushing the update to their affected handsets, according to Android Police. Mobile devices that are no longer affected by the Stagefright vulnerability include the Nexus 5 and Nexus 6, the Galaxy S5, S6, S6 Edge, and Note Edge, the HTC One M7, One M8, One M9; LG Electronics G2, G3, G4; Sony Xperia Z2, Xperia Z3, Xperia Z4, Xperia Z3 Compact; and the Android One.
Starting Wednesday, Nexus devices will receive regular monthly security updates, Google announced yesterday, speaking on how they distribute Nexus security patches. Monthly security patches will be active on the Nexus 4, Nexus 5, Nexus 7, Nexus 9, Nexus 10 and Nexus Player. As well, Samsung has begun to introduce a new update process for Android phones they sell.
During the Black Hat security conference in Las Vegas, Adrian Ludwig, Google’s lead engineer for Android security said the researchers who discovered the Stagefright bug exaggerated the threat and how it could affect real world users. More than 90 percent of Android phones on the market have security measures known as address space layout randomization in place, which are designed to significantly lessen the damage an attacker can do when exploiting vulnerabilities. Ludwig also said less than 0.15 percent of Android users who install apps exclusively from the Google Play store have any type of potentially harmful apps installed.
The severity of the vulnerability and sheer number of vulnerable phones on the market spawned for Google to improve the way they distribute security updates to their handsets. It’s too early to know if Google’s security update released Wednesday will help solve the glaring vulnerability, however the number of manufacturers pushing Wednesday’s Stagefright patch are a good sign.