Last week, details emerged of a major vulnerability at the heart of the Android OS. Attackers can target an Android component known as Stagefright, which manages multimedia playback, exploiting the vulnerability to take control of a device, using seemingly innocent media content such as an MMS message or video embedded in a web page.
The researcher who published details of the vulnerability said that he had created a patch and given it to Google in April – but the slow rate at which Android updates roll out has meant that an estimated 95% of all active Android devices remain unprotected.
Inexplicably, almost all of Google’s own Nexus devices also remained vulnerable until this week when the company finally released a patch for its Nexus line, and committed to monthly Android security updates for those devices. Since then, other major Android manufacturers have made similar commitments.
Samsung said on Wednesday that it too would “fast track security patches over the air when security vulnerabilities are discovered”, adding that its Galaxy devices are now getting patches for the Stagefright vulnerability.
And as WIRED reports, LG has confirmed that it too will push out more regular security patches. The company said it “will be providing security updates on a monthly basis which carriers will then be able to make available to customers immediately.”
That statement is an important reminder of the historical weak link in the chain that connects Google’s updates with end users: the carriers. Unfortunately, while Google and its hardware partners are committing to swift security update rollouts, the carriers still have to approve these updates.
Given how slowly most of them deliver updates to their customers, it seems the carriers are going to have to up their game now, as any delays in rolling those security patches out will continue to leave users’ devices at risk.