Google gets ready to fix the StageFright security bug in Android
Share on Twitter.
Get the most reliable SMTP service for your business. You wished you got it sooner!
August 6, 2015
If you're using an Android phone, you have reasons to be concerned, but don't worry, since Google said it will repair the StageFright security flaw in its
operating system in the next few days.
Adrian Ludwig, lead engineer for Android security at Google said: "My guess is that this is the
single largest software update the world has ever seen. Hundreds of millions of devices are going to
be updated very soon."
All Nexus devices are going to be patched, and Samsung, Motorola, HTC, LG, Sony, Android One, and
hundreds of other manufacturers are also going to push out the patches, he said.
Some mobile handset vendors, like Silent Circle, have already patched their operating systems, he added.
"With the recent security issues, we have been rethinking the approach to getting security updates
to our devices in a more timely manner," said Dong Koh, vice president of Samsung Electronics, Mobile
"Since software is constantly exploited in several new ways, developing a faster response process
to deliver security patches to our devices is critical to keep them protected. We believe that this
new process will vastly improve the security of our devices and will aim to provide the best mobile
experience possible for our users," added Koh.
Additionally, Google, Samsung and LG have made a commitment to send out monthly security patches
to users that will repair any upcoming issues in the operating system.
Those updates have been sent out to manufacturers for several years already, but now end users
will get them as well, and they will continue for at least three years after the launch of any new
"We've looked at the events of the last few weeks and realized that we need to move faster, and
that we need to tell people what we are doing," Ludwig said.
The Stagefright security flaw was a serious issue, with 95 percent of devices potentially vulnerable,
he said, but there were mitigating factors.
Android Jellybean 4.1 or later devices had address space layout randomization (ASLR) to block
memory exploits, he said, and this bought enough time to sort out the problem.
As for the other Android security flaws from last week-– Trend Micro's discovery of an integer overflow
bug in Android's media server service, that too will be fixed by the end of this week.
The security bug allowed phones to be crashed and silenced due to errors in video handling,
and a fix is now in place despite Google initially dismissing the issue as a low priority.
"Google's messenger app gets updated by end of the week so it won't build dynamic media thumbnails,"
Ludwig promised. "Thumbnails are going to be very boring for the next week..."
And it's not just about the updates-- Google is investing considerably in better securing the Android
ecosystem and blocking apps that could be considered malware, Ludwig promised.
In June, Google announced Security Rewards for Android, a bug bounty scheme specifically for the
mobile operating system.
The rewards include smaller payouts for simple bug finding, similar to the bounty system for Chrome,
but for full exploit chains showing a bug, exploitable proof of concept, and resulting in gaining access to
the TrustZone in Android, the payout could net up to $38,000 for researchers.
App developers are also going to be getting warnings if their code is found to break the rules,
either inadvertently or by design.
So far, Google has warned developers about more than 60,000 applications, but Ludwig said he wanted that
number reduced to absolute zero in the long run.
Get the most dependable SMTP server for your company.
Share on Twitter.