Not everybody suffers from stage fright. But if you happen to own an Android smartphone, you’re particularly susceptible — and it doesn’t matter whether you’re under the spotlight or in the crowd.
A recently exposed vulnerability within Google’s smartphone operating system, “Stagefright” is the name of a exploit that can infect Android handsets without the phone’s owner knowing. The bug has also highlighted problems in how the mobile operating system used by more than half the world’s smartphones gets security updates.
Stagefright was discovered by researchers last month. Technical details aside, it essentially allows hackers to get access to targeted phones’ pictures and other data by sending a message with a malicious video attached. According to Zimperium, the company that uncovered the bug, Stagefright puts 950 million Android devices at risk. But there’s hope: the company reported the problem to Google and submitted patches before telling anyone else.
Alex Rice, co-founder and CTO of security firm HackerOne, Android’s open-source nature is what allowed the bug to be discovered in the first place, because anybody can look under the hood and check for problems. “One of the things that Android does fairly well is that it’s an incredibly open and transparent platform,” Rice says. “Through (Google’s) bug bounty program and a number of other factors, they actively encourage discussion and participation on the security of the platform.”
But uncovering and patching Stagefright is only the beginning. Updates need to be pushed out to 95% of all Android phones to make sure they’re protected. In an odd twist, that’s a feat made more complicated by Android’s open nature. Handset makers like Samsung and HTC alter Google’s stock Android software to differentiate their products from one another with exclusive interfaces and features. But that means they also need to make new security patches compatible with their modified software. Historically speaking, manufacturers haven’t done a great job of pushing out security updates, especially for older phones.
Part of the problem is the business model around mobile phones, Rice says. “If you walk into a Verizon store and purchase a Samsung Galaxy that has a platform built by Google,” he asks, “whose customer are you, in that case?” In that situation, Rice thinks Verizon should own the relationship with the customer, since it’s the company that’s taking their money. “But Verizon is three steps removed from the person who receives the vulnerability report and is capable of fixing it,” he adds.
This lack of accountability makes Android harder to keep secure, a frustration that was enough to make Vice’s Lorenzo Franceschi-Bibbhierai abandon his beloved Android device. Frustrated by the amount of time it takes security updates to filter through Google, handset manufacturers, and carriers, the security journalist argues that Android users are left exposed to bugs. By comparison, he writes, “When there’s a bug on iOS, Apple patches it and can push an update to all iPhone users as soon as it’s ready, no questions asked.”
At this month’s Black Hat USA conference in Las Vegas, an annual gathering of the world’s information security experts, Google made efforts to right the ship. With Stagefright generating a lot of the buzz, one of the talks kicking off the conference was about the state of Android security. Adrian Ludwig, one of Android’s lead security engineers, announced that Google is now committing to monthly, over-the-air security updates for three years on all Google-branded Nexus devices. Samsung and LG are reportedly making similar commitments.
“This is exactly the commitment consumers should demand from manufacturers,” says Rice, who thinks three years is a strong commitment to a device. And while many people wonder if these systemic vulnerabilities spell trouble for the future of Android, the reality is that your Google smartphone is probably safer today than it was last month. Unless you have an older model, of course, in which case you should consider upgrading — like, yesterday.