Industry News

Android security update once again addresses MMS malware flaws, but will your phone get fixed?

Many Android users are running devices riddled with security holes, the most serious of which could allow a remote attacker to infect your smartphone with malware, simply by tricking you into opening an email, opening an MMS or browsing a website containing a boobytrapped media file.

Do you get a sense of deja vu? You should do. Because last year, security researchers uncovered a critical security vulnerability they named Stagefright that reportedly put 95% of the one billion Android handsets at risk of remote exploitation via malicious media files.

Now, like then, Android’s handling and processing of multimedia files is to blame.

In fact, Google has issued a string of more than 20 patches for its Android Mediaserver code since last August, proving that this is an Achilles heel for Android security. And the fact that some of the flaws can be exploited simply by sending an MMS is concerning, as all an attacker needs to know is his or her victim’s phone number.

Clearly Google needs to work harder at fixing the Mediaserver code to prevent serious security holes from continuing to bubble up, and potentially putting millions of users at risk of attack.

Yesterday Google released itslatest security update for Nexus devices running Android, as part of its now regular roll-out of monthly security patches – revealing the existence of more security holes in Android Mediaserver, as well as other parts of the operating system.

It’s comforting news for Nexus users, of course, that a patched version of Android is on its way to them, but the announcement inevitably leaves owners of Android devices built by other manufacturers wondering if they are going to be similarly blessed with a patch.

Their only solace is that Google says it has received no reports of the vulnerabilities being actively exploited, although – of course – often criminals only start to experiment with a flaw when details of the problem become public.

When Google initially responded to the concerns raised by Stagefright by announcing it would finally start issuing security updates on a monthly basis, major manufacturers Samsung and LG chimed in that they would also improve their responsiveness in rolling out patches.

Let’s hope that manufacturers and service providers work closely and quickly together to ensure that over-the-air patches are issued in a timely fashion, and that we do not see a repeat of the all too common appearance where many Android owners are treated poorly and no officially-sanctioned security updates are made available to them – regardless of whether they are keen to update their devices or not.

If you’re a Nexus user, you can follow Google’s instructions for determining if you are running a version of Android with the correct security patch (Builds LMY49H or later and Android M with Security Patch Level of March 01, 2016 or later).

About the author


Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats.

Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security.