Hundreds of Android devices are getting security updates to patch the Stagefright bug in one of the world's largest software update ever.
The Stagefright bug was discovered and publicly announced in July 2015 by a security firm Zimperium. A researcher found that that 95 percent of Android phones were vulnerable to the malware by opening a text message. However, Google told that 90 percent of Android devices were protected because of what's called ASLR or address space layout randomization, available in Android version 4.0 and above.
Android platform has been regularly criticized for its security. Despite Google has made numerous changes to the operating system to enhance its security, it still takes time for it to get critical updates.
Google can update its own Nexus lineup in no time, just like how Apple can patch any flaws on iOS. But Google, which runs the Android Open Source Project, the coding initiative at the heart of the operating system, does not have direct relationships with the vast majority of Android users because most Android users have their own carriers and favorite mobile manufacturers.
Even if a manufacturer has the update to a bug, it still has to check with the mobile phone carriers of users before they are able to push out updates to the devices. The longer the process the longer it takes an Android user to get the update he/she wants. Furthermore, there is no saying when an update for a manufacturer would be released. It all depends on them in addressing the concern.
Described as the 'worst Android vulnerability in the mobile OS history', the Stagefright bug uses Android's own way to process multimedia sent via text messages. With Hangouts, multimedia files are automatically processed as soon as they're received.
So even without the user knowing or reading the message, the malicious code could run and infect the device.
What the attacker needs is just a phone number. By sending a multimedia file that is infected with the code, the attacker can turn a user's Android phone against its user at will. The Stagefright bug gives the attacker the complete control of a handset. With the ability, they can copy any data stored in it.
They can also take over the microphone and camera, for example, after a specific message is received, and cause more serious privacy damage.
These vulnerabilities are believed to be extremely dangerous because they don't require the victim to take any action to be exploited.
So just by having a phone number of an Android phone, after a single message sent, a huge damage considered done.
"It is the case that nearly all Android devices had a vulnerability," said Google's Adrian Ludwig.
Google is updating all Nexus devices to address the Stagefright vulnerability. The security updates are being pushed over-the-air to the entire Nexus line that will stop the Hangouts app from preloading assets like malware embedded videos.
Other device manufacturers are also following Google's lead and working to push out Google's patch to their customers. Ludwig announced that Google would provide monthly security updates and service bulletins. Samsung and some other popular manufacturers have made similar commitments.
Ludwig called it "the single largest unified software update the world has ever seen." And given that there are 1 billion estimated Android users.
To prevent the unwanted thing to happen, Android users, especially those that use older versions of Android, can use alternatives to Hangouts. Other apps usually don't process multimedia files unless the user opens the app or access the file themselves. This can reduce the risk to a huge amount.
Despite still be risky, the user can still safely delete the probably infected file. And if anything should happen, the user can at least acknowledge who sent the message.