Google has released new security patches for its Android operating system this week, tackling a wide array of vulnerabilities that could be exploited by malicious attackers.
The most critical of the patched vulnerabilities address security flaws in its troubled Mediaserver component, that could be exploited by a malicious hacker to execute code remotely on targeted devices.
In recent years, Mediaserver has often been seen as a weakspot in Android as flaws have been found in the way that Android handles multimedia content (images and video files).
A typical attack scenario might see a remote attacker attempting to infect your Android smartphone with malware, simply by tricking you into opening an email, opening an MMS or browsing a website containing a boobytrapped media file.
What may surprise some users is that an attack can even happen while you’re tucked up in bed, dreaming of Sundar Pichai, as your smartphone may process a boobytrapped file – sent via a messaging app – while you sleep.
According to the Android security bulletin, exploitation of the security vulnerabilities is “made more difficult by enhancements in newer versions of the Android platform.”
For this reason, Google encourages all users to “update to the latest version of Android where possible.”
Wise words, and ones I agree with. But the problem remains that many Android users find it impossible to update their devices.
As we described earlier this year, the problem of unpatched devices is more acute on Android than it is on Apple iOS, because iPhone and iPad users find it far easier to access and install the latest security patches.
With an Android device, whether you will ever receive a security update or operating system upgrade depends on Google, your smartphone’s manufacturer, and your carrier all acting in co-operation. This is the fundamental reason why so many devices are still running out-of-date versions of Android.
If you buy a phone that Google itself has manufactured then things are likely to run smoother, of course. But many consumers have chosen cheaper Android devices – and find themselves left behind with an out-of-date, vulnerable operating system on their phone or tablet.
Even Google smartphone owners can’t necessarily feel confident that they will always receive patches. Just last week Google revealed that its Nexus 6 and Nexus 9 devices, released in November 2014, would no longer be “guaranteed” to receive security updates after October 2017. A similar fate will befall newer Pixel and Pixel XL devices in October 2019.
Their only solace is that Google says it has received no reports of any of these vulnerabilities being actively exploited in the wild, although – of course – often criminals only start to experiment with a flaw when details of the problem become public.
Let’s hope that manufacturers and service providers work closely and quickly together to ensure that over-the-air patches are issued in a timely fashion, and that we do not see a repeat of the all too common appearance where many Android owners are treated poorly and no officially-sanctioned security updates are made available to them – regardless of whether they are keen to update their devices or not.
For more information on the latest Android security issues, be sure to read the official bulletin. Warning: it’s a long list, you’re likely to be scrolling for quite a while.