Last week researchers discovered a bug that is said to leave 95% of Android phones and tablets vulnerable to attack. Now, Google has come forward to address the issue and detail how it plans to patch the vulnerability.
The bug, which has been called Stagefright and was discovered by Zimperium zLabs’ Joshua J. Drake, lives in the media libraries Android uses to read common file formats such as PDFs.
Drake says a hacker can use this bug to install malware on a victim’s computer without any interaction from the victim — which is unusual for a virus. In most cases, a user would have to open a specific file carrying the malware to start the attack. But with Stagefright, a hacker would just have to send a malicious media file such as a photo or a video to a victim via text message.
During a presentation at cybersecurity conference BlackHat, Google’s lead Android security engineer Adrian Ludwig gave a presentation that outlined how Google currently protects Android devices and the new updates it plans to push out.
The company is pushing out new security fixes for Nexus devices on Wednesday. These fixes, which Google hasn’t detailed publicly yet, have already been pushed out to Google’s Android partners which means they should also be coming to non-Nexus Android devices soon.
Google says the most popular Android phones will get the update in August, which includes the Samsung Galaxy S6 and S6 Edge, the Galaxy S5, the Galaxy Note 4 and Note Edge, the HTC One M7, One M8, and One M9, the LG G2, G3, and G4, Sony Xperia Z2, Xperia Z3, Xperia Z4, and Xperia Z3 Compact as well as all Android One devices.
Nexus devices will now get regular security updates every month, too.
Google is also updating the default Android messenger app so that users will have to actually click on a video to view it, which could prevent viruses such as Stagefright from spreading quickly. Currently, the Messenger app displays a thumbnail of the video when a user receives a video via text message.
Ludwig added that despite Drake’s claims, 90% of Android devices come with a technology called ASLR installed, which Google says protects them from vulnerabilities such as Stagefright. ASLR stands for address space layout randomization, which is intended to make it more difficult for hackers to exploit the memory in your phone. It’s been part of Android since the 4.0 Ice Cream Sandwich release in 2012.
The Stagefright attack allows hackers to gain control over various parts of your phone, such as its camera and microphone, Drake said in a previous interview with Business Insider UK’s Alastair Stevenson. The attack could be executed without the victim’s knowledge.
“The scariest part is that a Stagefright attack does not require any action by the victim meaning the flaw can be exploited remotely while a device owner is asleep,” Drake said.