Stagefright bug changes Android security

stagefright bug changes android security 300x197 - Stagefright bug changes Android security

It’s been 10 days since Zimperium’s Joshua Drake revealed a new Android vulnerabilitycalled Stagefright — and Android is just starting to recover. The bug allows an attacker to remotely execute code through a phony multimedia text message, in many cases without the user even seeing the message itself. Google has had months to write a patch and already had one ready when the bug was announced, but as expected, getting the patch through manufacturers and carriers was complicated and difficult.

But then, something unexpected happened: the much-maligned Android update system started to work. Samsung, HTC, LG, Sony and Android One have already announced pending patches for the bug, along with a device-specific patch for the Alcatel Idol 3. In Samsung’s case, the shift has kicked off an aggressive new security policy that will deploy patches month by month, an example that’s expected to inspire other manufacturers to follow suit. Google has announced a similar program for its own Nexus phones. Stagefright seems to have scared manufacturers and carriers into action, and as it turns out, this fragmented ecosystem still has lots of ways to protect itself.

It’s still early, and most devices won’t receive the patch until later this month, but Android security head Adrian Ludwig is optimistic that most Android users will be protected by existing mitigation systems, and expects patches to be deployed before attackers can break through. “The early reports triggered a very, very strong response,” Ludwig told The Verge. “The OEMs are now really understanding and the ecosystem is really understanding how to react more quickly, because we all see that it’s necessary.”

At the same time, the wave of negative publicity around Stagefright seems to have spurred manufacturers into action. Samsung’s VP of partner solutions Rick Segal says the move to rolling updates has been in the works at Samsung for six months. Enterprise customers have long lobbied for better security on the devices, and when a vulnerability in Samsung’s Swiftkey keyboard was discovered earlier this summer, the company was impressed by the positive customer response to the quick patch. The widespread public alarm over Stagefright was enough to tip the scales on the new feature. “Really, it’s the right thing to do,” Segal told The Verge, “and you’re not going to see any pushback from carriers or partners or anything because everybody knows it’s the right thing to do.”

by Russell Brandom

See Full Story on

Leave a Reply