Google keeps its promise, and begins rolling out monthly Android security updates

David laveque
David LaVeque
@
@DLaVeque

AndroidGoogle has kept true to its word and has released a gaggle of updates for its Nexus Android devices.

Lets hope that this time they’ve managed to fix the StageFright vulnerability properly, as their first attempt was a dud.

There is no word from Samsung and LG so far, regarding when it will be issuing their promised updates for Android customers. Do you hear those crickets?

Ars Technica has already reached out to the other major brands manufacturing Android devices, and is waiting for a response.

Sign up to our free newsletter.
Security news, advice, and tips.

I would expect that HTC, Motorola, and one or two others will roll out batch updates shortly, as that was the pattern last month for the initial updates. In other words, the flagship models get the fixes.

Now, that’s all fine and good, but completely inadequate to the task at hand.

As we all know, there will be hundreds of millions of Androids left out of the patching party.

31% of Android users are still running JellyBean, which had a handful of vulnerabilities before Stagefright. And there are several other vulnerabilities that came out of Blackhat USA 2015. Certifi-gate, for instance, is just as bad as Stagefright.

But wait,there’s more!

Not only does Google have to worry about AOSP (Android Open Source Project) security patches for all the recent vulnerabilities, but at the USENIX conference last month, researchers from Indiana University explained how they had created a new tool named “Massvet” that scanned millions of apps from several app stores, including the Google Play store, for malware.

Android malware detection platform - MassVet

Researchers Kai Chen, Peng Wang, Yeonjoon Lee, XiaoFeng Wang, Nan Zhang, Heqing Huang, Wei Zou and Peng Liu explain in their paper that that can vet an app “within 10 seconds at a low false detection rate.”

Shockingly, the researchers found over 127,000 malicious apps, over 30,000 of which were in the official Google Play store! Furthermore, they also found twenty zero-day vulnerabilities…

So, with all that said, is it time to chuck your Android phone in the shredder?

No, not just yet.

But what we should be doing is raising awareness of these issues to our OEMs and carriers.

There are groups of dedicated people already working on finding solutions to streamline the sticky problem of Android’s security update process, and there are already solutions to mitigate vulnerabilities for the enterprise.

But the feeble attempts now are just not acceptable. We should not have to buy a new device every year or two, just to stay safe.


David LaVeque has been an Android enthusiast since his first device, an HTC Evo 4g lte - only a few years ago. He became interested in the infosec community while researching updates, and says he stumbled upon a security blogger who ignited his passion for security and privacy issues. David loves searching out and experimenting with all kinds of utility apps, and is a voracious reader of security blogs and research papers.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.