ndroidA patch designed to fix a vulnerability in Android (that was initially disclosed to Android developers in July) is a total failure cyber security firm Exodus Intelligence has warned. The vulnerability, which was first noticed by Zimperium, affects around 950 million users of Android: by allowing hackers to utilize a feature of the platform’s built-in media player.
‘Stagefright’ loads videos in multimedia texts as soon as they arrive to save the smartphone’s user from having to wait for the video when they open the text later on. Unfortunately, hackers can add bits of malicious code into video files, meaning that when Stagefright pre-opens a video the hacker also gains access to the data contained on the phone.
After being informed about the problem, Google issued a fix to phone manufacturers, which it then integrated into its new version of Android. Now, however, a researcher called Jordan Gruskovnja, from Exodus Intelligence, has found a flaw in that fix that allows him (and other malevolent hackers) to bypass it. ‘The public generally believes the current patch protects them when it, in fact, does not,’ said Exodus on its online blog.
This latest announcement adds to worries about Android, which has seen a number of vulnerabilities affect it in recent months. David Baker, a security officer for computing firm Okta, says that the problem is that Android is an open source operating system with too many developers. ‘Stagefright is the early warning alert to a much bigger challenge,’ he says.
At the moment, because so many phone manufacturers update customized versions of Android, not many Android phones actually have the latest version installed. Phone manufacturers are supposed to update their versions of Android as security flaws are made known. The reality, however, is that while some firms do try to update or fix their version of Android, others simply do nothing – allowing the vulnerability to stay – and compromising end-user safety.
While quite a few vulnerabilities have also been found in Apple’s iOS software, information taken from the Apple Developer Portal shows that 85% of Apple Mac smartphones have the latest version of the operating system. Compare this to the 18.1 % that are running the latest version of Android Lollipop (according to Android Developer Portal) and you get some idea of the out datedness of the Android OS being run by most smartphones.
This point has been reinforced by Mr. Baker from Okta, who said ‘other manufacturers like Apple and BlackBerry control both the hardware and software. That means they can patch flaws much more quickly.’
Exodus Intelligence is now working with Zimperium which has already brought to market an App for Android users that lets them check to see if the Stagefright flaw affects them. On its website Exodus released the following statement,
‘We’ve been in contact with Zimperium and are working with them to provide coverage for detection of this flaw through their Stagefright Detector app. They have been very responsive (more so than the affected vendor), and we plan to alert them of similar flaws we’ve recently discovered.’
Since the announcement of the latest flaw (last Wednesday), Google has claimed to have a new fix,
‘We’ve already sent the fix to our partners to protect users, and Nexus 4/5/6/7/9/10 and Nexus Player will get the OTA (Over the Air) update in the September monthly security update.’
Sadly, with the knowledge that so many phone manufacturers failed to issue the first fix, the hopes of this second fix being properly made available (to the nearly 1 billion affected users) remains a long shot.
As per usual, greedy corporations are more than happy to sell consumers products that (despite the best efforts of the security sector) they then completely fail to update correctly. As a result, the only real option for consumers is to use their money to boycott those companies that do not make a concerted effort to keep on top of security issues. By doing that, customers can cause a backlash and perhaps positively affect the future of the marketplace.