Google has kept true to its word and has released a gaggle of updates for its Nexus Android devices.
Lets hope that this time they’ve managed to fix the StageFright vulnerability properly, as their first attempt was a dud.
There is no word from Samsung and LG so far, regarding when it will be issuing their promised updates for Android customers. Do you hear those crickets?
Ars Technica has already reached out to the other major brands manufacturing Android devices, and is waiting for a response.
I would expect that HTC, Motorola, and one or two others will roll out batch updates shortly, as that was the pattern last month for the initial updates. In other words, the flagship models get the fixes.
Now, that’s all fine and good, but completely inadequate to the task at hand.
As we all know, there will be hundreds of millions of Androids left out of the patching party.
31% of Android users are still running JellyBean, which had a handful of vulnerabilities before Stagefright. And there are several other vulnerabilities that came out of Blackhat USA 2015. Certifi-gate, for instance, is just as bad as Stagefright.
But wait,there’s more!
Not only does Google have to worry about AOSP (Android Open Source Project) security patches for all the recent vulnerabilities, but at the USENIX conference last month, researchers from Indiana University explained how they had created a new tool named “Massvet” that scanned millions of apps from several app stores, including the Google Play store, for malware.
Researchers Kai Chen, Peng Wang, Yeonjoon Lee, XiaoFeng Wang, Nan Zhang, Heqing Huang, Wei Zou and Peng Liu explain in their paper that that can vet an app “within 10 seconds at a low false detection rate.”
Shockingly, the researchers found over 127,000 malicious apps, over 30,000 of which were in the official Google Play store! Furthermore, they also found twenty zero-day vulnerabilities…
So, with all that said, is it time to chuck your Android phone in the shredder?
No, not just yet.
But what we should be doing is raising awareness of these issues to our OEMs and carriers.
There are groups of dedicated people already working on finding solutions to streamline the sticky problem of Android’s security update process, and there are already solutions to mitigate vulnerabilities for the enterprise.
But the feeble attempts now are just not acceptable. We should not have to buy a new device every year or two, just to stay safe.
Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.