View all newsletters
Receive our newsletter - data, insights and analysis delivered to you

Stagefright forces Samsung and Google into action

Android players are rolling out monthly update schedules.

By Alexander Sword

Major players in the Android market are working to boost its security, in the wake of recent revelations about the Stagefright bug which shook confidence in the OS.

Samsung Electronics and Google have both announced that they will provide monthly security updates to their devices to tackle security vulnerabilities as and when they arise.

Samsung didn’t provide firm details of the updates, although it recently fast-tracked updates to deal with the Stagefright vulnerability.

Google, meanwhile, rolled out the first update for Nexus devices on 5 August and promised major updates for at least two years, with security patches provided for either three years from the devices’ initial availability or 18 months from the last sale of the device via the Google Store.

The news comes in the wake of the emergence of a weakness in Android’s Stagefright facility which could allow 95 percent of Android devices to be hijacked using an MMS message, without the user taking any action at all.

Joshua J. Drake of Zimperium zLabs, found the vulnerability within Android’s code, with the company labelling it the "Mother of all Android Vulnerabilities."

"Attackers only need your mobile number, using which they can remotely execute code via a specially crafted media file delivered via MMS," Zimperium zLabs wrote on its blog. "A fully weaponised successful attack could even delete the message before you see it. You will only see the notification.

Content from our partners
How to turn the evidence hackers leave behind against them
Why food manufacturers must pursue greater visibility and agility
How to define an empowered chief data officer

"These vulnerabilities are extremely dangerous because they do not require that the victim take any action to be exploited. Unlike spear-phishing, where the victim needs to open a PDF file or a link sent by the attacker, this vulnerability can be triggered while you sleep.

"Before you wake up, the attacker will remove any signs of the device being compromised and you will continue your day as usual – with a trojaned phone."

The revelation of Stagefright seems to have served as something of a watershed for Android security. According to a study of 2.5 million mobile applications by PulseSecure, Android devices account for 97 percent of mobile malware.

In addition, G DATA security experts identified and analysed 440,267 new malware samples on Android in the first quarter
of 2015.

Bob Tarzey, Analyst and Director at Quocirca, highlighted Android’s popularity as a motivating factor for cybercriminals.

"I think Stagefright will keep the Android community on its toes and that is no bad thing," Tarzey said. "Android, just like any other operating system, will have vulnerabilities, but more important is that Android’s success means there will be much effort to seek these out and exploit them.

"The ecosystem is complex and Google must work with its partners to ensure there is a solid update capability in place, aka Windows update for PCs."

However, Tarzey added that device vendors, such as Samsung, would be the ones expected to manage the security.

"Unlike Windows, Android is open source, so the ultimate responsibility is down to the device manufacturers, who may add to the base OS," he said.

Dong Jin Koh of Samsung Electronics implicitly cited Stagefright as the motivating factor for the new update policy.

"With the recent security issues, we have been rethinking the approach to getting security updates to our devices in a more timely manner," said Dong Jin Koh.

"Since software is constantly exploited in new ways, developing a fast response process to deliver security patches to our devices is critical to keep them protected."

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.