If you have an Android, keep an eye out for updates from your vendor or carrier – there are some critical security patches out.
Google has fixed 12 vulnerabilities affecting Android versions 4.4.4 through 6.0.1, including five rated as “critical” – the designation for the worst kind of security bug.
The most serious vulnerability in this batch is a remote code execution (RCE) bug, designated CVE-2015-6636, in Android’s mediaserver component.
Mediaserver is often used to render remotely-supplied multimedia content, so Google is warning that an attacker could exploit the bug to run malware hidden in booby-trapped media files delivered via multiple methods, including email, web browsing and MMS.
Mediaserver is a “core part of the operating system,” with access to video and audio streams as well having run-time privileges that third-party apps don’t.
If this sounds familiar, that’s likely because Google has now patched 30 vulnerabilities in mediaserver since monthly Android security updates began in August 2015, according to InfoWorld’s Fahmida Y. Rashid.
This mediaserver bug is also similar to the major vulnerability known as “Stagefright” that affected up to 95% of Android devices, which could have allowed crooks to implant malware in a similar way.
Fortunately, to mitigate the bug, Google has made changes to the default Android messaging apps, Google Hangouts and Messenger, so that they “[no longer] automatically pass media to processes such as mediaserver.”
Google said it made the security update available to partners on 7 December 2015 “or earlier.”
Google and Samsung have been quicker at getting security fixes out since Stagefright, but unfortunately, carriers haven’t pushed out updates for every type of Android device affected by this latest set of vulnerabilities.
Sprint and Verizon have updated their Nexus 5 and 6 devices, according to Softpedia, which also reports that other Android devices are expected to get the updates soon, including BlackBerry PRIV, Samsung Galaxy S6, Galaxy Note 5 and “some Motorola and HTC smartphones.”
When you see a notification that the update is ready on your device, you should accept it and upgrade to the latest version of Android “wherever possible,” Google recommends.
Until you can apply the security update, be very cautious about downloading or playing media files.
Don’t accept media messages from unknown senders, and make sure the setting to Automatically retrieve MMS messages in both Hangouts and Messenger is turned off.
💡 Make your Android safe against unwanted MMSes ►
💡 Improve security and privacy on your phone ►