Many Android users are running devices riddled with security holes, the most serious of which could allow a remote attacker to infect your smartphone with malware, simply by tricking you into opening an email, opening an MMS or browsing a website containing a boobytrapped media file.
Do you get a sense of deja vu? You should do. Because last year, security researchers uncovered a critical security vulnerability they named Stagefright that reportedly put 95% of the one billion Android handsets at risk of remote exploitation via malicious media files.
Now, like then, Android’s handling and processing of multimedia files is to blame.
In fact, Google has issued a string of more than 20 patches for its Android Mediaserver code since last August, proving that this is an Achilles heel for Android security. And the fact that some of the flaws can be exploited simply by sending an MMS is concerning, as all an attacker needs to know is his or her victim’s phone number.
Clearly Google needs to work harder at fixing the Mediaserver code to prevent serious security holes from continuing to bubble up, and potentially putting millions of users at risk of attack.
Yesterday Google released itslatest security update for Nexus devices running Android, as part of its now regular roll-out of monthly security patches – revealing the existence of more security holes in Android Mediaserver, as well as other parts of the operating system.
It’s comforting news for Nexus users, of course, that a patched version of Android is on its way to them, but the announcement inevitably leaves owners of Android devices built by other manufacturers wondering if they are going to be similarly blessed with a patch.
Their only solace is that Google says it has received no reports of the vulnerabilities being actively exploited, although – of course – often criminals only start to experiment with a flaw when details of the problem become public.
When Google initially responded to the concerns raised by Stagefright by announcing it would finally start issuing security updates on a monthly basis, major manufacturers Samsung and LG chimed in that they would also improve their responsiveness in rolling out patches.
Let’s hope that manufacturers and service providers work closely and quickly together to ensure that over-the-air patches are issued in a timely fashion, and that we do not see a repeat of the all too common appearance where many Android owners are treated poorly and no officially-sanctioned security updates are made available to them – regardless of whether they are keen to update their devices or not.
If you’re a Nexus user, you can follow Google’s instructions for determining if you are running a version of Android with the correct security patch (Builds LMY49H or later and Android M with Security Patch Level of March 01, 2016 or later).
tags
Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s.
View all postsNovember 14, 2024
September 06, 2024