95% of Android phones, including Google’s own line, are subject to a major security flaw. The flaw is a result of six critical vulnerabilities in the Android operating system. By simply sending a text message, a hacker can take control of any Android phone (version 2.2 and higher). The flaw directly affects the part of the Android operating system called Stagefright, which allows phones and tablets to display media content. A maliciously crafted video is able to deliver a program to the phone that will run immediately after being processed by Stagefright, providing an attacker with the chance to write code to the device, thereby gaining access to audio and video data via its microphone and camera.
More worrying is that Hangouts, Google’s messaging app, automatically pre-processes videos as they’re received in order to reduce the delay if a user wishes to immediately watch them. If the video is sent as an MMS message, the bug can take over the device before you have even been notified that you’ve received a message. Even in Android’s default messaging app, the phone’s operator doesn’t need to view the video for the bug to take effect, but merely look at the message.
Researcher Joshua Drake from Zimperium zLabs mobile security firm, spotted the flaw earlier this year, and provided Google with details of the bug back in April. Drake also gave the company patches for the errors. Drake gave Google a 90-day embargo before going public so that they could issue a fix to users.
Google has recently issued a statement saying that they have already sent out a fix to their partners to protect users, and that they intend to “push further safeguards to Nexus devices starting next week”. The revelation brings into focus an enduring security problem for Android, however: the speed at which fixes for software errors are able to filter down to end users. Unlike Apple in which users can receive patches immediately, Google (which makes the Android operating system) doesn’t have the power to push patches to the majority of Android devices. This is because the majority of Android devices are created by other companies like Samsung or HTC, who in turn, must negotiate with phone companies before patches can be sent out to end users.
Chris Wysopal, the Chief Information Security Officer for app security specialists Veracode, has raised concerns about the slow speed of Google’s proposed fix. “Waiting for handset manufacturers or carriers to issue a patch would be problematic”, he said, because “it could take a month or more before each party issues a patch”.