Stagefrightened Google, Samsung to push out monthly Android fixes

Android. Image courtesy of Bloomua / Shutterstock.

Android phone image by Bloomua, courtesy of Shutterstock

Stagefright is a nasty security hole in Android that can be triggered by a booby-trapped multimedia file – the sort of content that can be delivered via an MMS message.

And the fact that Android’s default SMS/MMS apps are set up to download content automatically as soon as messages arrive has scared Samsung and Google into announcing that they’ll push monthly security updates for Androids.

Samsung and Google announced the new monthly updates on Wednesday, the same day that mobile security firm Zimperium’s Joshua Drake took the stage at the Black Hat security conference to explain how some 950 million Android phones could be trojanized by receiving a rigged message.

As Paul Ducklin explained it last week when news of Stagefright first broke, the default SMS/MMS apps in Android 4.4 (KitKat) and 5.x (Lollipop) are Messaging and Hangouts respectively, and their default configuration is to download MMS content in the background as soon as messages arrive.

Many nowadays favor more current messaging systems on their devices, like WhatsApp, Snapchat or Instagram, so a reminder of what MMS is – the acronym stands for Multimedia Messaging System – might be in order.

As its name implies, it’s like SMS but it also handles multimedia such as videos, sounds, and pictures.

At any rate, it sounds as though you’re in good shape if you happen to own a Nexus Android phone and if your carrier doesn’t get bogged down in wrapping its own software around the fix.

From Google’s announcement on Wednesday:

Nexus devices have always been among the first Android devices to receive platform and security updates. From this week on, Nexus devices will receive regular [over-the-air] updates each month focused on security, in addition to the usual platform updates. The first security update of this kind began rolling out today, Wednesday August 5th, to Nexus 4, Nexus 5, Nexus 6, Nexus 7, Nexus 9, Nexus 10, and Nexus Player. This security update contains fixes for issues in bulletins provided to partners through July 2015, including fixes for the libStageFright issues. At the same time, the fixes will be released to the public via the Android Open Source Project. Nexus devices will continue to receive major updates for at least two years and security patches for the longer of three years from initial availability or 18 months from last sale of the device via the Google Store.

That still leaves a long list of vulnerable Android phones, however: Zimperium listed 10 other vendors in its post about Stagefright.

Samsung Mobile is on that list.

Samsung said on Wednesday that it has fast-tracked security updates for Galaxy devices in light of Stagefright and is working with carriers and partners on those updates.

Stagefright has also spurred Samsung to adopt a monthly update cycle:

Samsung Electronics will implement a new Android security update process that fast tracks the security patches over the air when security vulnerabilities are uncovered. These security updates will take place regularly about once per month.

Samsung promised more details about specific models and said that timelines for release of the fixes will be out soon.

But while Google and Samsung might be on the fast track with fixes, some of the phone carriers seem to be traveling on stagecoaches whose wheels have gotten stuck in the mud.

As of Wednesday, Sprint was set to start pushing out updates to the Nexus 5 and Nexus 6, as well as Galaxy S6, S6 Edge, S5 and Note Edge devices.

But T-Mobile, for one, couldn’t even give me a good guess as to when it’s going to push out updates.

This is how we get the mud puddle where vendors and carriers get stuck: vendors use Android along with their own software, and Google has left it to the vendors to get updates out to users.

That could put Android users in the position or getting a fix for a known vulnerability months late, if they ever get it at all, because Samsung or T-Mobile or fill-in-the-blank vendor or carrier just couldn’t get its act together.

So while Samsung and Google are now intent on adopting a regular update cycle (meaning that they should always have a chance to get a fix out within the next month), that still leaves many of us at the end of the Google-vendor-carrier string, waiting for updates to trickle down.

The good news about Stagefright is that, as far as Zimperium’s Drake can see, there are no attacks in the wild.

(Yet, and only as far as one researcher can see.)

As well, as Google lead engineer Adrian Ludwig told NPR, about 90% of Android devices are protected with a technology called ASLR, short for Address Space Layout Randomization.

ASLR generally makes buffer overflow and related vulnerabilities much harder, though not impossible, for attackers to exploit.

That’s a bit of a comfort, but it’s short of a fix.

While we wait for fixes to trickle down from our respective phone vendors and carriers, there are things we can do to lessen our risk, as we outlined last week.