Android Firms Team on Monthly Security Fixes

Google, Samsung and LG are pledging to issue monthly security updates for their mobile devices in the wake of last month's discovery of a vulnerability that could affect 95 percent of all Android devices. The Stagefright vulnerability, uncovered by the enterprise mobile security firm Zimperium, could allow hackers to access users' devices without their knowledge.

On Wednesday, Google said it would start this week to deliver monthly over-the-top, or OTA, platform and security updates for Nexus devices 4, 5, 6, 7, 9 and 10, as well as Nexus Player. It said it would provide the public with regular security fixes through its Android Open Source Project.

Samsung also said it would launch a new fast-track program for Android security updates, providing OTA patches about once a month. Although LG has not yet made a public announcement, it unveiled similar plans in an e-mail to the media.

"My guess is that this is the single largest software update the world has ever seen," said Adrian Ludwig, Android's lead engineer for security, at the Black Hat security conference that took place this week in Las Vegas.

Rethinking Approach to Security Updates

The new tack by Android companies comes about a week and a half after Zimperium zLabs researcher Joshua Drake described a newly discovered vulnerability in the Stagefright media library on devices running Android version 2.2 and up. That covers the vast majority -- around 950 million -- of the Android devices currently in use.

The code used for Stagefright leaves it vulnerable to memory corruption and can open up devices to potential hack attacks that can gain remote access through media files delivered by MMS (multimedia messaging service) text messages, Drake said. Zimperium reported the vulnerability to Google after discovering the issue and also submitted patches for the flaw.

While Google "acted promptly...

Comments are closed.