#BlackHat: Google Starts Pushing Stagefright Patches

Google is in the midst of pushing mass updates over the air (OTA) to its Nexus Android devices, to address the recently uncovered Stagefright vulnerability.

Adrian Ludwig, head of Android Security at Google, noted in a talk at Black Hat 2015 that Nexus devices, including versions 4-7, 9, 10 and Nexus Player, are now receiving OTA updates for Stagefright, which is a group of vulnerabilities that allow remote takeover of an Android device by simply sending a certain kind of file to the device via MMS. Devices can also be infected using malicious apps, and MP4 files and video files that auto-play when opening a website. Once the video has played, attackers can bypass the disabling of auto-play videos in Chrome and gain complete control of the device.

While Google is addressing its own Nexus devices, “all devices are receiving intense focus this week,” he said, noting that Samsung alone has 150 Android updates to push out. Within three weeks, he said that “every device I’ve ever heard of is getting an OTA update.”

He added, “This could be the single largest unified software update the world has ever seen—hundreds of thousands of devices are to be updated in the next couple of days.”

Also, the Google messenger app will stop the auto-loading of assets by the end of the week.

Ludwig somewhat downplayed the dangers of Stagefright—called out by researchers as affecting anywhere from 50% to 90% of Android devices—because of the fact that 95.1% of Android devices have ASLR (implemented in Ice Cream Sandwich) , which makes it difficult for an exploit to work.

Ludwig also announced that Google will take a page from the PC world and start doing monthly updates.

“We’ve been sending security bulletins to partners for three years on a monthly basis,” he said. “We haven’t been talking about it, and we need more transparency about how we’re providing those things. We looked at the events of the last few days and weeks and realized that we need to move faster and tell people what we’re doing, both immediately and on an ongoing basis.

Ludwig took the opportunity to talk up Android’s overall platform approach to security, starting with Google Play. It incorporates a confirmation that a user is going to install an app—with an unknown sources warning; it verifies apps; and then performs runtime security checks, sandboxes and permissions.

He said that while the malware instances inside Android are low, user preference for rooting their devices and the downloading of apps from outside Google Play will always open the door to a certain extent to unsafe practices.

“In general over the last 6 months, we see that around a half of one percent of Android devices have a potentially harmful application installed,” he said. “[And] we have no expectation in an ecosystem the size of Android that the number will ever be zero.”

What’s Hot on Infosecurity Magazine?